From 2c15c7b6fc735cd40ee82a99e3ea6a75d550da78 Mon Sep 17 00:00:00 2001 From: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com> Date: Fri, 30 Jul 2021 16:27:24 +0200 Subject: [PATCH 001/203] Improved support for go-getter urls with subdirectories like 'test.com/repo//subdir' --- checkov/common/goget/github/get_git.py | 34 ++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index be51741af9..8f4fe3ef80 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -35,12 +35,13 @@ def do_get(self): clone_dir = self.temp_dir + "/clone/" if self.create_clone_and_res_dirs else self.temp_dir result_dir = self.temp_dir + "/result/" - - if ".git//" in self.url: - git_url, internal_dir = self.url.split(".git//") - self._clone(git_url + ".git", clone_dir, result_dir, internal_dir) + + git_url, internal_dir = self._source_subdir() + + if internal_dir: + self._clone(git_url, clone_dir, result_dir, internal_dir) else: - self._clone(self.url, clone_dir, result_dir) + self._clone(git_url, clone_dir, result_dir) return result_dir @@ -52,3 +53,26 @@ def _clone(self, git_url, clone_dir, result_dir, internal_dir=''): Repo.clone_from(git_url, clone_dir) if self.create_clone_and_res_dirs: shutil.copytree(clone_dir + internal_dir, result_dir) + + # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', 'repo/subpath') + # Also see reference implementation @ go-getter https://github.com/hashicorp/go-getter/blob/main/source.go + def _source_subdir(self): + stop = len(self.url) + + query_index = = self.url.find("?") + if query_index > -1: + stop = query_index + + start = 0 + scheme_index = self.url.find("://", start, stop) + if scheme_index > -1: + start = scheme_index + 3 + + subdir_index = self.url.find("//", start, stop) + if subdir_index == -1: + return (self.url, "") + + internal_dir = self.url[subdir_index + 2:stop] + git_url = self.url[:subdir_index] + source_url[stop:] + + return (git_url, internal_dir) From d1230c53203ec61966d2e95c2453641eec063610 Mon Sep 17 00:00:00 2001 From: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com> Date: Sat, 31 Jul 2021 08:42:53 +0200 Subject: [PATCH 002/203] Added unit tests to parse source url into git_url and subdirectory --- checkov/common/goget/github/get_git.py | 4 +- tests/common/goget/test_goget_github.py | 73 +++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 tests/common/goget/test_goget_github.py diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index 8f4fe3ef80..8fb8e8a09b 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -59,7 +59,7 @@ def _clone(self, git_url, clone_dir, result_dir, internal_dir=''): def _source_subdir(self): stop = len(self.url) - query_index = = self.url.find("?") + query_index = self.url.find("?") if query_index > -1: stop = query_index @@ -73,6 +73,6 @@ def _source_subdir(self): return (self.url, "") internal_dir = self.url[subdir_index + 2:stop] - git_url = self.url[:subdir_index] + source_url[stop:] + git_url = self.url[:subdir_index] + self.url[stop:] return (git_url, internal_dir) diff --git a/tests/common/goget/test_goget_github.py b/tests/common/goget/test_goget_github.py new file mode 100644 index 0000000000..7aa8961eb6 --- /dev/null +++ b/tests/common/goget/test_goget_github.py @@ -0,0 +1,73 @@ +import os +import unittest + +from checkov.common.goget.github.get_git import GitGetter + + +class TestGitGetter(unittest.TestCase): + + def test_parse_source(self): + url = "https://my-git.com/repository-name/" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name/", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory(self): + url = "https://my-git.com/repository-name.git//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name.git", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + + def test_parse_source_and_subdirectory_without_git(self): + url = "https://my-git.com/repository-name//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + + def test_parse_source_with_query(self): + url = "https://my-git.com/repository-name?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_with_query(self): + url = "https://my-git.com/repository-name//sub/path?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("https://my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + + def test_parse_source_without_scheme(self): + url = "my-git.com/repository-name" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name", git_url, "Parsed source url should contain hostname and path") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_without_scheme(self): + url = "my-git.com/repository-name//sub/path" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name", git_url, "Parsed source url should contain hostname ane path") + self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + + def test_parse_source_with_query_without_scheme(self): + url = "my-git.com/repository-name?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("", subdir, "Parsed source subdirectory should be empty") + + def test_parse_source_and_subdirectory_with_query_without_scheme(self): + url = "my-git.com/repository-name//sub/path?key=value" + getter = GitGetter(url) + git_url, subdir = getter._source_subdir() + self.assertEqual("my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") + self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + +if __name__ == '__main__': + unittest.main() From e6abd995f53cbaeb0d696c30991278a68663b274 Mon Sep 17 00:00:00 2001 From: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com> Date: Thu, 5 Aug 2021 12:49:08 +0200 Subject: [PATCH 003/203] Fixed a bug: Git loader didn't use GitGetter return url, causing it to ignore possible go-getter submodule --- checkov/common/goget/github/get_git.py | 23 +++++++++++-------- .../module_loading/loaders/git_loader.py | 3 +-- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index 8fb8e8a09b..14f84db1ad 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -34,25 +34,28 @@ def do_get(self): from git_import_error clone_dir = self.temp_dir + "/clone/" if self.create_clone_and_res_dirs else self.temp_dir - result_dir = self.temp_dir + "/result/" git_url, internal_dir = self._source_subdir() - + + self._clone(git_url, clone_dir) + if internal_dir: - self._clone(git_url, clone_dir, result_dir, internal_dir) - else: - self._clone(git_url, clone_dir, result_dir) + # Point clone to sub-path + clone_dir = clone_dir + internal_dir - return result_dir + if self.create_clone_and_res_dirs: + result_dir = self.temp_dir + "/result/" + shutil.copytree(clone_dir, result_dir) + return result_dir + + return clone_dir - def _clone(self, git_url, clone_dir, result_dir, internal_dir=''): + def _clone(self, git_url, clone_dir): self.logger.debug("cloning {} to {}".format(self.url, clone_dir)) if self.tag: Repo.clone_from(git_url, clone_dir, b=self.tag) else: Repo.clone_from(git_url, clone_dir) - if self.create_clone_and_res_dirs: - shutil.copytree(clone_dir + internal_dir, result_dir) # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', 'repo/subpath') # Also see reference implementation @ go-getter https://github.com/hashicorp/go-getter/blob/main/source.go @@ -72,7 +75,7 @@ def _source_subdir(self): if subdir_index == -1: return (self.url, "") - internal_dir = self.url[subdir_index + 2:stop] + internal_dir = self.url[subdir_index + 1:stop] # Note: Internal dir is expected to start with / git_url = self.url[:subdir_index] + self.url[stop:] return (git_url, internal_dir) diff --git a/checkov/terraform/module_loading/loaders/git_loader.py b/checkov/terraform/module_loading/loaders/git_loader.py index 851bec7742..e8c7b1646b 100644 --- a/checkov/terraform/module_loading/loaders/git_loader.py +++ b/checkov/terraform/module_loading/loaders/git_loader.py @@ -16,8 +16,7 @@ def _load_module(self) -> ModuleContent: module_source = self.module_source.replace('git::', '') git_getter = GitGetter(module_source, create_clone_and_result_dirs=False) git_getter.temp_dir = self.dest_dir - git_getter.do_get() - return_dir = self.dest_dir + return_dir = git_getter.do_get() if self.inner_module: return_dir = os.path.join(self.dest_dir, self.inner_module) return ModuleContent(dir=return_dir) From f6753880feb45a4e8eb34b884fa91c62f1a98272 Mon Sep 17 00:00:00 2001 From: Laurens Knoll <3205006+laurensknoll@users.noreply.github.com> Date: Thu, 5 Aug 2021 12:59:37 +0200 Subject: [PATCH 004/203] Updated tests to expected absolute sub-path --- checkov/common/goget/github/get_git.py | 6 ++---- tests/common/goget/test_goget_github.py | 10 +++++----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index 14f84db1ad..e1e647b45b 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -33,14 +33,12 @@ def do_get(self): raise ImportError("Unable to load git module (is the git executable available?)") \ from git_import_error - clone_dir = self.temp_dir + "/clone/" if self.create_clone_and_res_dirs else self.temp_dir - git_url, internal_dir = self._source_subdir() + clone_dir = self.temp_dir + "/clone/" if self.create_clone_and_res_dirs else self.temp_dir self._clone(git_url, clone_dir) if internal_dir: - # Point clone to sub-path clone_dir = clone_dir + internal_dir if self.create_clone_and_res_dirs: @@ -57,7 +55,7 @@ def _clone(self, git_url, clone_dir): else: Repo.clone_from(git_url, clone_dir) - # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', 'repo/subpath') + # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', '/repo/subpath') # Also see reference implementation @ go-getter https://github.com/hashicorp/go-getter/blob/main/source.go def _source_subdir(self): stop = len(self.url) diff --git a/tests/common/goget/test_goget_github.py b/tests/common/goget/test_goget_github.py index 7aa8961eb6..186e4bf771 100644 --- a/tests/common/goget/test_goget_github.py +++ b/tests/common/goget/test_goget_github.py @@ -18,14 +18,14 @@ def test_parse_source_and_subdirectory(self): getter = GitGetter(url) git_url, subdir = getter._source_subdir() self.assertEqual("https://my-git.com/repository-name.git", git_url, "Parsed source url should contain hostname and path") - self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") def test_parse_source_and_subdirectory_without_git(self): url = "https://my-git.com/repository-name//sub/path" getter = GitGetter(url) git_url, subdir = getter._source_subdir() self.assertEqual("https://my-git.com/repository-name", git_url, "Parsed source url should contain hostname and path") - self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") def test_parse_source_with_query(self): url = "https://my-git.com/repository-name?key=value" @@ -39,7 +39,7 @@ def test_parse_source_and_subdirectory_with_query(self): getter = GitGetter(url) git_url, subdir = getter._source_subdir() self.assertEqual("https://my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") - self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") def test_parse_source_without_scheme(self): url = "my-git.com/repository-name" @@ -53,7 +53,7 @@ def test_parse_source_and_subdirectory_without_scheme(self): getter = GitGetter(url) git_url, subdir = getter._source_subdir() self.assertEqual("my-git.com/repository-name", git_url, "Parsed source url should contain hostname ane path") - self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") def test_parse_source_with_query_without_scheme(self): url = "my-git.com/repository-name?key=value" @@ -67,7 +67,7 @@ def test_parse_source_and_subdirectory_with_query_without_scheme(self): getter = GitGetter(url) git_url, subdir = getter._source_subdir() self.assertEqual("my-git.com/repository-name?key=value", git_url, "Parsed source url should contain hostname, path and query") - self.assertEqual("sub/path", subdir, "Parsed source subdirectory should contain relative path") + self.assertEqual("/sub/path", subdir, "Parsed source subdirectory should contain absolute (sub)path") if __name__ == '__main__': unittest.main() From 2237d42c4848084a668f560e37d9b3f36ad08dff Mon Sep 17 00:00:00 2001 From: "Radoslav Denchev (FG-4-I-1)" Date: Thu, 5 Aug 2021 18:12:57 +0200 Subject: [PATCH 005/203] Fix wrong evaluation of CKV2_AZURE_8 if enabled=true --- ...StorageContainerActivityLogsNotPublic.yaml | 2 +- .../expected.yaml | 3 +- .../main.tf | 47 +++++++++++++++++-- 3 files changed, 45 insertions(+), 7 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml b/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml index 25649f8ec1..c9ef7522b7 100644 --- a/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml +++ b/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml @@ -31,7 +31,7 @@ definition: - azurerm_monitor_activity_log_alert attribute: enabled operator: equals - value: 'true' + value: true - cond_type: connection resource_types: - azurerm_storage_container diff --git a/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/expected.yaml b/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/expected.yaml index 8d10861c24..c7b6c9cad7 100644 --- a/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/expected.yaml +++ b/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/expected.yaml @@ -1,4 +1,5 @@ pass: - - "azurerm_storage_account.ok_account" + - "azurerm_storage_account.ok_account_1" + - "azurerm_storage_account.ok_account_2" fail: - "azurerm_storage_account.not_ok_account" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/main.tf b/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/main.tf index cba4f160e6..a76a315362 100644 --- a/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/main.tf +++ b/tests/terraform/graph/checks/resources/StorageContainerActivityLogsNotPublic/main.tf @@ -1,6 +1,12 @@ -resource "azurerm_storage_container" "ok_container" { +resource "azurerm_storage_container" "ok_container_1" { name = "vhds" - storage_account_name = azurerm_storage_account.ok_account.name + storage_account_name = azurerm_storage_account.ok_account_1.name + container_access_type = "private" +} + +resource "azurerm_storage_container" "ok_container_2" { + name = "vhds" + storage_account_name = azurerm_storage_account.ok_account_2.name container_access_type = "private" } @@ -10,7 +16,15 @@ resource "azurerm_storage_container" "not_ok_container" { container_access_type = "private" } -resource "azurerm_storage_account" "ok_account" { +resource "azurerm_storage_account" "ok_account_1" { + name = "examplesa" + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + account_tier = "Standard" + account_replication_type = "GRS" +} + +resource "azurerm_storage_account" "ok_account_2" { name = "examplesa" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location @@ -26,14 +40,37 @@ resource "azurerm_storage_account" "not_ok_account" { account_replication_type = "GRS" } -resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert" { +resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert_1" { + name = "example-activitylogalert" + resource_group_name = azurerm_resource_group.main.name + scopes = [azurerm_resource_group.main.id] + description = "This alert will monitor a specific storage account updates." + + criteria { + resource_id = azurerm_storage_account.ok_account_1.id + operation_name = "Microsoft.Storage/storageAccounts/write" + category = "Recommendation" + } + + + action { + action_group_id = azurerm_monitor_action_group.main.id + + webhook_properties = { + from = "terraform" + } + } +} + +resource "azurerm_monitor_activity_log_alert" "ok_monitor_activity_log_alert_2" { name = "example-activitylogalert" resource_group_name = azurerm_resource_group.main.name scopes = [azurerm_resource_group.main.id] description = "This alert will monitor a specific storage account updates." + enabled = true criteria { - resource_id = azurerm_storage_account.ok_account.id + resource_id = azurerm_storage_account.ok_account_2.id operation_name = "Microsoft.Storage/storageAccounts/write" category = "Recommendation" } From a0aaf784676816c1e09824a54c88cb3662ad4e94 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 006/203] add kubernetesWorkloads as a source (#1474) --- checkov/common/bridgecrew/bc_source.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/checkov/common/bridgecrew/bc_source.py b/checkov/common/bridgecrew/bc_source.py index 0bc64c6d55..2193aae90e 100644 --- a/checkov/common/bridgecrew/bc_source.py +++ b/checkov/common/bridgecrew/bc_source.py @@ -11,12 +11,14 @@ def __init__(self, name: str, upload_results: bool): class BCSourceType: VSCODE = 'vscode' CLI = 'cli' + KUBERNETES_WORKLOADS = 'kubernetesWorkloads' DISABLED = 'disabled' # use this as a placeholder for generic no-upload logic SourceTypes = { BCSourceType.VSCODE: SourceType(BCSourceType.VSCODE, False), BCSourceType.CLI: SourceType(BCSourceType.CLI, True), + BCSourceType.KUBERNETES_WORKLOADS: SourceType(BCSourceType.KUBERNETES_WORKLOADS, True), BCSourceType.DISABLED: SourceType(BCSourceType.VSCODE, False) } From 2c23b4394cd22c198b7a27e5fb1158e0c4822e4f Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 007/203] add kubernetesWorkloads as a source (#1474) --- docs/5.Policy Index/terraform.md | 610 +++++++++++++++---------------- 1 file changed, 305 insertions(+), 305 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index f1a6e3ec3b..8582072239 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -204,21 +204,21 @@ nav_order: 1 | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 196 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 201 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 201 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 206 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 207 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 208 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 209 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 209 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 212 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | @@ -229,16 +229,16 @@ nav_order: 1 | 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 219 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 221 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 226 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 226 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 229 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 229 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -387,44 +387,44 @@ nav_order: 1 | 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 379 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 393 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 400 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 409 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 412 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -510,277 +510,277 @@ nav_order: 1 | 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 502 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 9b5b98696815e9f0168f9b5acd3e4afa6df6effa Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 008/203] add kubernetesWorkloads as a source (#1474) --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From 53f2200928eab4fd334504cff2494e1a17912079 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 009/203] add kubernetesWorkloads as a source (#1474) --- docs/5.Policy Index/all.md | 622 ++++++++++++++++++------------------- 1 file changed, 311 insertions(+), 311 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 114ce52802..94e794697c 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,15 +327,15 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 318 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 321 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 322 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 323 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 324 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 319 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 320 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 324 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 326 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 327 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 328 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 329 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -345,25 +345,25 @@ nav_order: 1 | 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 337 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 338 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 337 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 338 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 341 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 342 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 344 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 345 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 344 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 345 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 346 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 347 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 351 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 352 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 354 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 355 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -565,45 +565,45 @@ nav_order: 1 | 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 557 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 558 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 559 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 571 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 572 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 578 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 579 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 580 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 581 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 591 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 594 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -696,279 +696,279 @@ nav_order: 1 | 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 688 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 955 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 955 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 959 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 5d642f2867c1b2cf915586b88b7eceabcbe8fff6 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 010/203] add kubernetesWorkloads as a source (#1474) --- docs/5.Policy Index/serverless.md | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..903b7147ef 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,132 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | + + +--- + + From acd23c64b9f5f362cd657028b322649d6ef6a3c1 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Fri, 6 Aug 2021 13:37:45 -0500 Subject: [PATCH 011/203] add kubernetesWorkloads as a source (#1474) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index fa18a3d8d1..ab7bf63944 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.336' +version = '2.0.337' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 86739f413a..a3672643f2 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.336 +checkov==2.0.337 From f946ac8303522e34a5a22b04672de0dfbbea3b06 Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 012/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- checkov/cloudformation/cfn_utils.py | 5 +++-- checkov/kubernetes/runner.py | 10 +++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index c020e9641c..d8bc9e9e65 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -114,8 +114,9 @@ def get_folder_definitions( definitions_raw[relative_file_path] = template_lines else: logging.debug(f"Parsed file {file} incorrectly {template}") - except TypeError: - logging.info(f"CloudFormation skipping {file} as it is not a valid CF template") + except (TypeError, ValueError) as e: + logging.warning(f"CloudFormation skipping {file} as it is not a valid CF template\n{e}") + continue definitions = {create_file_abs_path(root_folder, file_path): v for (file_path, v) in definitions.items()} definitions_raw = {create_file_abs_path(root_folder, file_path): v for (file_path, v) in definitions_raw.items()} diff --git a/checkov/kubernetes/runner.py b/checkov/kubernetes/runner.py index a4241552fa..3ba7a1b8de 100644 --- a/checkov/kubernetes/runner.py +++ b/checkov/kubernetes/runner.py @@ -49,9 +49,13 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R for file in files_list: relative_file_path = f'/{os.path.relpath(file, os.path.commonprefix((root_folder, file)))}' - parse_result = parse(file) - if parse_result: - (definitions[relative_file_path], definitions_raw[relative_file_path]) = parse_result + try: + parse_result = parse(file) + if parse_result: + (definitions[relative_file_path], definitions_raw[relative_file_path]) = parse_result + except (TypeError, ValueError) as e: + logging.warning(f"Kubernetes skipping {file} as it is not a valid Kubernetes template\n{e}") + continue for k8_file in definitions.keys(): From b88eff4afaa017ff4a1fb6cf7ad970a5bd11456c Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 013/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- docs/5.Policy Index/terraform.md | 644 +++++++++++++++---------------- 1 file changed, 322 insertions(+), 322 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 8582072239..6355e800ed 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -202,43 +202,43 @@ nav_order: 1 | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 194 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 201 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 201 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 206 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 207 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 208 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 209 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 209 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 212 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 212 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 219 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 219 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 226 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 226 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 229 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 229 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -387,45 +387,45 @@ nav_order: 1 | 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 412 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 412 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -510,279 +510,279 @@ nav_order: 1 | 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 502 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 764 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 768 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 776 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 777 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From 5a957909e98bbf0638d4de21ca50e9586f0e0a73 Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 014/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From 4e22402668780f7d91ce5a3df56ad4cae8eb1ca9 Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 015/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- docs/5.Policy Index/all.md | 602 ++++++++++++++++++------------------- 1 file changed, 301 insertions(+), 301 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 94e794697c..780bf014ab 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -325,17 +325,17 @@ nav_order: 1 | 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 317 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 318 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 324 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 323 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 324 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 328 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 329 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -354,16 +354,16 @@ nav_order: 1 | 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 344 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 345 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 346 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 347 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 347 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -565,17 +565,17 @@ nav_order: 1 | 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -586,24 +586,24 @@ nav_order: 1 | 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 578 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 579 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 580 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 581 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 590 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 591 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -696,279 +696,279 @@ nav_order: 1 | 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 951 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 955 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 094884348fbd6b0d48a52666d1f14cfb3f5fc1c0 Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 016/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- docs/5.Policy Index/serverless.md | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..903b7147ef 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,132 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | + + +--- + + From d76aee75204fda4f4b5cdfbcc6c7a7fac3ba7c25 Mon Sep 17 00:00:00 2001 From: naorda Date: Sun, 8 Aug 2021 15:49:59 +0300 Subject: [PATCH 017/203] handle potential ValueError exceptions of malformed YAML files (#1475) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index ab7bf63944..10a193245f 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.337' +version = '2.0.338' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index a3672643f2..f9404998ed 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.337 +checkov==2.0.338 From 224b2b4655a1db826f841c09ceba7d0cd4577d21 Mon Sep 17 00:00:00 2001 From: gruebel Date: Mon, 9 Aug 2021 11:11:22 +0900 Subject: [PATCH 018/203] add check CKV_AWS_172 for QLDB deletion protection --- .../aws/QLDBLedgerDeletionProtection.py | 26 +++++++++++++ .../aws/QLDBLedgerDeletionProtection.py | 25 +++++++++++++ .../FAIL.yaml | 8 ++++ .../PASS.yaml | 13 +++++++ .../aws/test_QLDBLedgerDeletionProtection.py | 37 +++++++++++++++++++ .../main.tf | 22 +++++++++++ .../aws/test_QLDBLedgerDeletionProtection.py | 37 +++++++++++++++++++ 7 files changed, 168 insertions(+) create mode 100644 checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py create mode 100644 checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py create mode 100644 tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml create mode 100644 tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml create mode 100644 tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py create mode 100644 tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf create mode 100644 tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py diff --git a/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py b/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..ae2ff148d8 --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py @@ -0,0 +1,26 @@ +from typing import Dict + +from checkov.cloudformation.parser.node import str_node, dict_node +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class QLDBLedgerDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure QLDB ledger has deletion protection enabled" + id = "CKV_AWS_172" + supported_resources = ["AWS::QLDB::Ledger"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str_node, dict_node]) -> CheckResult: + # deletion protection is enabled on default + if "DeletionProtection" not in conf.get("Properties", {}): + return CheckResult.PASSED + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "Properties/DeletionProtection" + + +check = QLDBLedgerDeletionProtection() diff --git a/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py b/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..fa5160a4b0 --- /dev/null +++ b/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py @@ -0,0 +1,25 @@ +from typing import Dict, List, Any + +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class QLDBLedgerDeletionProtection(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure QLDB ledger has deletion protection enabled" + id = "CKV_AWS_172" + supported_resources = ["aws_qldb_ledger"] + categories = [CheckCategories.GENERAL_SECURITY] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: + # deletion protection is enabled on default + if "deletion_protection" not in conf: + return CheckResult.PASSED + return super().scan_resource_conf(conf) + + def get_inspected_key(self) -> str: + return "deletion_protection" + + +check = QLDBLedgerDeletionProtection() diff --git a/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml new file mode 100644 index 0000000000..264d781473 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/FAIL.yaml @@ -0,0 +1,8 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + Disabled: + Type: "AWS::QLDB::Ledger" + Properties: + DeletionProtection: false + Name: "ledger" + PermissionsMode: "STANDARD" diff --git a/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml new file mode 100644 index 0000000000..b3e683f6d3 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_QLDBLedgerDeletionProtection/PASS.yaml @@ -0,0 +1,13 @@ +AWSTemplateFormatVersion: "2010-09-09" +Resources: + Default: + Type: "AWS::QLDB::Ledger" + Properties: + Name: "ledger" + PermissionsMode: "STANDARD" + Enabled: + Type: "AWS::QLDB::Ledger" + Properties: + DeletionProtection: true + Name: "ledger" + PermissionsMode: "STANDARD" diff --git a/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py b/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..b3e2ebd6f0 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_QLDBLedgerDeletionProtection.py @@ -0,0 +1,37 @@ +import unittest +from pathlib import Path + +from checkov.cloudformation.checks.resource.aws.QLDBLedgerDeletionProtection import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestQLDBLedgerDeletionProtection(unittest.TestCase): + def test_summary(self): + test_files_dir = Path(__file__).parent / "example_QLDBLedgerDeletionProtection" + + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::QLDB::Ledger.Default", + "AWS::QLDB::Ledger.Enabled", + } + failing_resources = { + "AWS::QLDB::Ledger.Disabled", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf b/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf new file mode 100644 index 0000000000..7a172c21d4 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_QLDBLedgerDeletionProtection/main.tf @@ -0,0 +1,22 @@ +# pass + +resource "aws_qldb_ledger" "default" { + name = "ledger" + permissions_mode = "STANDARD" +} + +resource "aws_qldb_ledger" "enabled" { + name = "ledger" + permissions_mode = "STANDARD" + + deletion_protection = true +} + +# failure + +resource "aws_qldb_ledger" "disabled" { + name = "ledger" + permissions_mode = "STANDARD" + + deletion_protection = false +} diff --git a/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py b/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py new file mode 100644 index 0000000000..ed9cd67361 --- /dev/null +++ b/tests/terraform/checks/resource/aws/test_QLDBLedgerDeletionProtection.py @@ -0,0 +1,37 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.resource.aws.QLDBLedgerDeletionProtection import check +from checkov.terraform.runner import Runner + + +class TestQLDBLedgerDeletionProtection(unittest.TestCase): + def test(self): + test_files_dir = Path(__file__).parent / "example_QLDBLedgerDeletionProtection" + + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "aws_qldb_ledger.default", + "aws_qldb_ledger.enabled", + } + failing_resources = { + "aws_qldb_ledger.disabled", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() From d1930d716a89bb540e0b97fb6820b8c3d1d0045e Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Mon, 9 Aug 2021 10:51:56 +0100 Subject: [PATCH 019/203] correctly filters out anything that isnt postgres --- .../PostgresRDSHasQueryLoggingEnabled.yaml | 12 ++--- .../expected.yaml | 3 +- .../PostgresRDSHasQueryLoggingEnabled/main.tf | 46 +++++++++++++++++-- 3 files changed, 50 insertions(+), 11 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml b/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml index 6ec537ab39..335e419f7d 100644 --- a/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml +++ b/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml @@ -9,18 +9,18 @@ definition: value: - aws_db_instance operator: within + - cond_type: filter + resource_types: + - aws_db_instance + attribute: engine + operator: within + value: "postgres" - cond_type: connection resource_types: - aws_db_instance connected_resource_types: - aws_rds_cluster_parameter_group operator: exists - - cond_type: attribute - resource_types: - - aws_db_instance - attribute: "engine" - operator: contains - value: "postgres" - cond_type: attribute resource_types: - aws_rds_cluster_parameter_group diff --git a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml index b77c998bc1..ea62381221 100644 --- a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml +++ b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/expected.yaml @@ -1,7 +1,8 @@ pass: - "aws_db_instance.pass" + + fail: - "aws_db_instance.fail" - - "aws_db_instance.fail2" - "aws_db_instance.fail3" - "aws_db_instance.fail4" diff --git a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf index 31a71dff2c..648108c7bf 100644 --- a/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf +++ b/tests/terraform/graph/checks/resources/PostgresRDSHasQueryLoggingEnabled/main.tf @@ -19,16 +19,22 @@ resource "aws_db_instance" "fail4" { parameter_group_name = aws_rds_cluster_parameter_group.fail2.id } - //no parameter_group_name set resource "aws_db_instance" "fail" { + engine = "postgres" + instance_class = "db.t3.micro" + name = "mydb" +} + +//not postgres +resource "aws_db_instance" "ignore" { engine = "mysql" instance_class = "db.t3.micro" name = "mydb" } // no postgres -resource "aws_db_instance" "fail2" { +resource "aws_db_instance" "ignore2" { allocated_storage = 10 engine = "mysql" engine_version = "5.7" @@ -58,7 +64,7 @@ resource "aws_rds_cluster_parameter_group" "fail" { } provider "aws" { -region="eu-west-2" + region="eu-west-2" } //will be correct params @@ -87,4 +93,36 @@ resource "aws_rds_cluster_parameter_group" "fail2" { name = "log_statement" value = "all" } -} \ No newline at end of file +} + +resource "aws_db_instance" "ignore3" { + identifier = "xxx-our-unique-id" + allocated_storage = 1000 + storage_type = "gp2" + copy_tags_to_snapshot = true + engine = "sqlserver-se" + engine_version = "15.00.4043.16.v1" + license_model = "license-included" + instance_class = "db.r5.4xlarge" + name = "" + username = "sa" + password = var.password + port = 1433 + publicly_accessible = false + security_group_names = [] + vpc_security_group_ids = ["sg-xxxxx"] + db_subnet_group_name = "dbsubnet" + performance_insights_enabled = true + option_group_name = "sql-std-2019" + deletion_protection = true + max_allocated_storage = 1500 + parameter_group_name = "sql-server-2019-std" + character_set_name = "SQL_Latin1_General_CP1_CS_AS" + # checkov:skip=CKV_AWS_157:Web db, acceptable risk until Resize + multi_az = false + backup_retention_period = 35 + enabled_cloudwatch_logs_exports = ["agent","error"] + backup_window = "11:17-11:47" + maintenance_window = "sat:07:13-sat:08:43" + final_snapshot_identifier = "xxx-unique-name-final" +} From 2ecc7bfbe5ff6159e605b8386bf2d213cc2766c8 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 13:33:12 +0300 Subject: [PATCH 020/203] Fix CKV_AZURE_125 --- ...zureServiceFabricClusterProtectionLevel.py | 25 +++++ .../AzureServiceFabricClusterUseADAuth.py | 21 ---- ...zureServiceFabricClusterProtectionLevel.py | 105 ++++++++++++++++++ ...test_AzureServiceFabricClusterUseADAuth.py | 69 ------------ 4 files changed, 130 insertions(+), 90 deletions(-) create mode 100644 checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py delete mode 100644 checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py create mode 100644 tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py delete mode 100644 tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py diff --git a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py new file mode 100644 index 0000000000..6841a058fc --- /dev/null +++ b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py @@ -0,0 +1,25 @@ +from typing import Dict, List, Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.common.util.type_forcers import force_list +from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck + + +class AzureServiceFabricClusterProtectionLevel(BaseResourceCheck): + def __init__(self): + name = "Ensures that Service Fabric use three levels of protection available" + id = "CKV_AZURE_125" + supported_resources = ['azurerm_service_fabric_cluster'] + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: + for setting in force_list(conf.get('fabric_settings')): + if setting and setting.get('name') == ['Security']: + params = setting.get('parameters', [{}])[0] + if params.get('name') == 'ClusterProtectionLevel' and params.get('value') == 'EncryptAndSign': + return CheckResult.PASSED + return CheckResult.FAILED + + +check = AzureServiceFabricClusterProtectionLevel() diff --git a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py b/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py deleted file mode 100644 index 54303ee62d..0000000000 --- a/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterUseADAuth.py +++ /dev/null @@ -1,21 +0,0 @@ -from checkov.common.models.enums import CheckCategories -from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck -from checkov.common.models.consts import ANY_VALUE - - -class AzureServiceFabricClusterUseADAuth(BaseResourceValueCheck): - def __init__(self): - name = "Ensures that Active Directory is used for authentication for Service Fabric" - id = "CKV_AZURE_125" - supported_resources = ['azurerm_service_fabric_cluster'] - categories = [CheckCategories.ENCRYPTION] - super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) - - def get_inspected_key(self): - return 'azure_active_directory/[0]/tenant_id' - - def get_expected_value(self): - return ANY_VALUE - - -check = AzureServiceFabricClusterUseADAuth() diff --git a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py new file mode 100644 index 0000000000..87d86308e2 --- /dev/null +++ b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterProtectionLevel.py @@ -0,0 +1,105 @@ +import unittest + +import hcl2 + +from checkov.terraform.checks.resource.azure.AzureServiceFabricClusterProtectionLevel import check +from checkov.common.models.enums import CheckResult + + +class TestAzureServiceFabricClusterProtectionLevel(unittest.TestCase): + def test_passing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + fabric_settings { + name = "Security" + parameters = { + name = "ClusterProtectionLevel" + value = "EncryptAndSign" + } + } + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } +} + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.PASSED, scan_result) + + def test_missing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + } + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.FAILED, scan_result) + + def test_wrong(self): + def test_passing(self): + hcl_res = hcl2.loads(""" + resource "azurerm_service_fabric_cluster" "example" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + fabric_settings { + name = "Security" + parameters = { + name = "ClusterProtectionLevel" + value = "Sign" + } + } + + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + } + """) + resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.FAILED, scan_result) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py b/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py deleted file mode 100644 index 025e736f09..0000000000 --- a/tests/terraform/checks/resource/azure/test_AzureServiceFabricClusterUseADAuth.py +++ /dev/null @@ -1,69 +0,0 @@ -import unittest - -import hcl2 - -from checkov.terraform.checks.resource.azure.AzureServiceFabricClusterUseADAuth import check -from checkov.common.models.enums import CheckResult - - -class TestAzureServiceFabricClusterUseADAuth(unittest.TestCase): - - def test_failure(self): - hcl_res = hcl2.loads(""" - resource "azurerm_service_fabric_cluster" "example" { - name = "example-servicefabric" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - reliability_level = "Bronze" - upgrade_mode = "Manual" - cluster_code_version = "7.1.456.959" - vm_image = "Windows" - management_endpoint = "https://example:80" - - node_type { - name = "first" - instance_count = 3 - is_primary = true - client_endpoint_port = 2020 - http_endpoint_port = 80 - } - } - """) - resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.FAILED, scan_result) - - def test_success(self): - hcl_res = hcl2.loads(""" - resource "azurerm_service_fabric_cluster" "example" { - name = "example-servicefabric" - resource_group_name = azurerm_resource_group.example.name - location = azurerm_resource_group.example.location - reliability_level = "Bronze" - upgrade_mode = "Manual" - cluster_code_version = "7.1.456.959" - vm_image = "Windows" - management_endpoint = "https://example:80" - - azure_active_directory { - tenant_id = "4545" - cluster_application_id = "87878" - client_application_id = "9090" - } - - node_type { - name = "first" - instance_count = 3 - is_primary = true - client_endpoint_port = 2020 - http_endpoint_port = 80 - } - } - """) - resource_conf = hcl_res['resource'][0]['azurerm_service_fabric_cluster']['example'] - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - -if __name__ == '__main__': - unittest.main() From 4ab2233d3b466d8c8baa6433e90e328f8cc63daf Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Mon, 9 Aug 2021 11:41:38 +0100 Subject: [PATCH 021/203] fix false positive --- .../checks/resource/aws/CodeBuildProjectEncryption.py | 4 +++- .../terraform/checks/resource/aws/test_CodeBuildEncrypted.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py index b3a9f84212..f9c908d008 100644 --- a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py +++ b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py @@ -20,7 +20,9 @@ def scan_resource_conf(self, conf): self.evaluated_keys = 'artifacts/[0]/type' elif 'encryption_disabled' in artifact and artifact['encryption_disabled']: self.evaluated_keys = 'artifacts/[0]/encryption_disabled' - return CheckResult.FAILED + if artifact['encryption_disabled'] == [True]: + return CheckResult.FAILED + return CheckResult.PASSED diff --git a/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py b/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py index 02febbbca1..dd7237f7f5 100644 --- a/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py +++ b/tests/terraform/checks/resource/aws/test_CodeBuildEncrypted.py @@ -5,7 +5,7 @@ from checkov.common.models.enums import CheckResult -class TestRDSClusterEncrypted(unittest.TestCase): +class TestCodeBuildEncrypted(unittest.TestCase): def test_failure(self): hcl_res = hcl2.loads(""" resource "aws_codebuild_project" "example" { From 4875270bf6c1ca0793f172e499ac02511f81645c Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 022/203] add secrets to list command (#1480) --- .github/workflows/build.yml | 2 +- checkov/common/util/docs_generator.py | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd706cd999..8eb2b1e7fc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -86,7 +86,7 @@ jobs: export PYTHONPATH='.' git pull - for i in cloudformation terraform kubernetes serverless arm dockerfile all + for i in cloudformation terraform kubernetes serverless arm dockerfile secrets all do export scansdoc="docs/5.Policy Index/$i.md" echo "---" > "$scansdoc" diff --git a/checkov/common/util/docs_generator.py b/checkov/common/util/docs_generator.py index 69173f544b..3cc375ccba 100644 --- a/checkov/common/util/docs_generator.py +++ b/checkov/common/util/docs_generator.py @@ -1,21 +1,20 @@ #!/usr/bin/env python import re - from tabulate import tabulate from checkov.arm.registry import arm_resource_registry, arm_parameter_registry from checkov.cloudformation.checks.resource.registry import cfn_registry as cfn_registry from checkov.common.checks.base_check_registry import BaseCheckRegistry +from checkov.common.checks_infra.registry import BaseRegistry as BaseGraphRegistry, get_graph_checks_registry +from checkov.dockerfile.registry import registry as dockerfile_registry from checkov.kubernetes.registry import registry as k8_registry +from checkov.secrets.runner import CHECK_ID_TO_SECRET_TYPE from checkov.serverless.registry import sls_registry -from checkov.dockerfile.registry import registry as dockerfile_registry - from checkov.terraform.checks.data.registry import data_registry from checkov.terraform.checks.module.registry import module_registry from checkov.terraform.checks.provider.registry import provider_registry from checkov.terraform.checks.resource.registry import resource_registry -from checkov.common.checks_infra.registry import BaseRegistry as BaseGraphRegistry, get_graph_checks_registry ID_PARTS_PATTERN = re.compile(r'([^_]*)_([^_]*)_(\d+)') @@ -72,6 +71,9 @@ def add_from_repository(registry, checked_type: str, iac: str): if framework == "arm" or framework == "all": add_from_repository(arm_resource_registry, "resource", "arm") add_from_repository(arm_parameter_registry, "parameter", "arm") + if framework == "secrets" or framework == "all": + for check_id, check_type in CHECK_ID_TO_SECRET_TYPE.items(): + printable_checks_list.append((check_id, check_type, "secrets", check_type, check_type, "secrets")) return sorted(printable_checks_list, key=get_compare_key) From f06548d42bade78e5eeae846f4c8fe0e2c6bcfe9 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 14:24:18 +0300 Subject: [PATCH 023/203] Merge pull request #1478 from bridgecrewio/fix_azure_125 Fix CKV_AZURE_125 --- docs/5.Policy Index/terraform.md | 604 +++++++++++++++---------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 6355e800ed..76675031cc 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -202,12 +202,12 @@ nav_order: 1 | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 198 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 201 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | @@ -220,12 +220,12 @@ nav_order: 1 | 209 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 212 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 212 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 216 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 219 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -379,7 +379,7 @@ nav_order: 1 | 368 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | | 369 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | | 370 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 371 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 371 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | | 372 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | | 373 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | | 374 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | @@ -387,45 +387,45 @@ nav_order: 1 | 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 379 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 393 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 400 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 412 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 412 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -510,277 +510,277 @@ nav_order: 1 | 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 502 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 625e76587f7f9afe2f8fe00c7e0c4e271a50347e Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 024/203] add secrets to list command (#1480) --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From abe1d5a2044e2aaee8896774ae0ee3d52821e6ca Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 14:24:18 +0300 Subject: [PATCH 025/203] Merge pull request #1478 from bridgecrewio/fix_azure_125 Fix CKV_AZURE_125 --- docs/5.Policy Index/all.md | 2360 ++++++++++++++++++------------------ 1 file changed, 1189 insertions(+), 1171 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 780bf014ab..6726337d03 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -6,1177 +6,1195 @@ nav_order: 1 # all resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | -|------|---------------|------------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 1 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | -| 2 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | -| 3 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 4 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | -| 5 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | -| 7 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 8 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | -| 9 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 10 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | -| 11 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 12 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | -| 13 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | -| 14 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 15 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | -| 16 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | -| 17 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | -| 18 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | -| 19 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | -| 20 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | -| 21 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | -| 22 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | -| 23 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 24 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 25 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | -| 26 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 27 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | -| 28 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 29 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | -| 30 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 31 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | -| 32 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 33 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | -| 34 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 35 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | -| 36 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | -| 37 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | -| 38 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | -| 39 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | -| 40 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | -| 41 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 42 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 43 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 44 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 45 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | -| 46 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 47 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 48 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 49 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | -| 50 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 51 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 52 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | -| 53 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 54 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | -| 55 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 56 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | -| 57 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 58 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | -| 59 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 60 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | -| 61 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 62 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | -| 63 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 64 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | -| 65 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 66 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | -| 67 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 68 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | -| 69 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 70 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | -| 71 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 72 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | -| 73 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | -| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | -| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | -| 77 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 78 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 79 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | -| 80 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | -| 82 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | -| 83 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | -| 84 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 85 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | -| 86 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 87 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | -| 88 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 89 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | -| 90 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 91 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | -| 92 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 93 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | -| 94 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 95 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | -| 96 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 97 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | -| 98 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | -| 99 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | -| 100 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 101 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | -| 102 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 103 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | -| 104 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 105 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | -| 106 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 107 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | -| 108 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 109 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | -| 110 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 111 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | -| 112 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 113 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | -| 114 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 115 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | -| 116 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 117 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | -| 118 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 119 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 120 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 121 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 122 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | -| 123 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 124 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 125 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 126 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | -| 127 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | -| 128 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 129 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | -| 130 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 131 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | -| 132 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 133 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | -| 134 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 135 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | -| 136 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 137 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | -| 138 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 139 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 140 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | -| 141 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | -| 142 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 143 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | -| 144 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | -| 145 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | -| 147 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 148 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | -| 149 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 150 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | -| 151 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 152 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | -| 153 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | -| 154 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 155 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 156 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | -| 157 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 158 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | -| 159 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | -| 160 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | -| 161 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 162 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | -| 163 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 164 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | -| 165 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 166 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | -| 167 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 168 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | -| 169 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 170 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | -| 171 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 172 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | -| 173 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | -| 174 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 175 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 176 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | -| 177 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 178 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | -| 179 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 180 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 181 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | -| 182 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 183 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | -| 184 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 185 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 186 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | -| 187 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | -| 188 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 189 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 190 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | -| 191 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 192 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | -| 193 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 194 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | -| 195 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | -| 196 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 197 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Terraform | -| 198 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 199 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | -| 200 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 201 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | -| 202 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | -| 203 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | -| 204 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 205 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | -| 206 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 207 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | -| 208 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | -| 209 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 210 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 211 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 212 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 213 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 214 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | -| 215 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 216 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 217 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 218 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 219 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 220 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | -| 221 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 222 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 223 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 224 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 225 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 226 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | -| 227 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 228 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 229 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 230 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 231 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 232 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | -| 233 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 234 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 235 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 236 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 237 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 238 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | -| 239 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | -| 240 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | -| 241 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | -| 242 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | -| 243 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | -| 244 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 245 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | -| 246 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using KMS | Terraform | -| 247 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | -| 248 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 249 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | -| 250 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | -| 251 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | -| 252 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 253 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | -| 254 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | -| 255 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | -| 256 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | -| 257 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | -| 258 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | -| 259 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | -| 260 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | -| 261 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 262 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | -| 263 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | -| 264 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | -| 265 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | -| 266 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 267 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | -| 268 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | -| 269 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | -| 270 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | -| 271 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | -| 272 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | -| 273 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | -| 274 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | -| 275 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | -| 276 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | -| 277 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | -| 278 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | -| 279 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS | Terraform | -| 280 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 281 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | -| 282 | CKV_AWS_151 | resource | aws_eks_cluster | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | Terraform | -| 283 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 284 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | -| 285 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | -| 286 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | -| 287 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 288 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | -| 289 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 290 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | -| 291 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 292 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | -| 293 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 294 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | -| 295 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 296 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | -| 297 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | -| 298 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 299 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | -| 300 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 301 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | -| 302 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 303 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | -| 304 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 305 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | -| 306 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 307 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | -| 308 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 309 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | -| 310 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 311 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | -| 312 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | -| 313 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | -| 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | -| 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 323 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 324 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 328 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 329 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 331 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 332 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 333 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 337 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 338 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 341 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 342 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 344 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 345 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 346 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 347 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | -| 359 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 360 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | -| 361 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 362 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | -| 363 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 364 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | -| 365 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 366 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | -| 367 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 368 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | -| 369 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 370 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | -| 371 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | -| 372 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | -| 373 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 374 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 375 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | -| 376 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | -| 377 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 378 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 379 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | -| 380 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | -| 381 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 382 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 383 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 384 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 385 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | -| 386 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 387 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 388 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 391 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 392 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | -| 393 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | -| 394 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 395 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | -| 396 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 397 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | -| 398 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 399 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | -| 400 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 401 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | -| 402 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 403 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | -| 404 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 405 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | -| 406 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 407 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | -| 408 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 409 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 410 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 411 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 412 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 413 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 414 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | -| 415 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 416 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 417 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | -| 418 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 419 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | -| 420 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 421 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | -| 422 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 423 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | -| 424 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 425 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | -| 426 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 427 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | -| 428 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 429 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 430 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 431 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 432 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 433 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 434 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 435 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 436 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 437 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 438 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | -| 439 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 440 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 441 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 442 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 443 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 444 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 445 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | -| 446 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 447 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 448 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | -| 449 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 450 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | -| 451 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 452 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | -| 453 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 454 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | -| 455 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 456 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 457 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | -| 458 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 459 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | -| 460 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | -| 461 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 462 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 463 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | -| 464 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 465 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 466 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 467 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 468 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 469 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 470 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 471 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 472 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 473 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 474 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 475 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 476 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 477 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 478 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 479 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 480 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 481 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 482 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 483 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 484 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 485 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 486 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 487 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 488 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 489 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 490 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 491 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 494 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 495 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 496 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 497 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 498 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 499 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 500 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 501 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 502 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 503 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 504 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 505 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 506 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 507 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 508 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 509 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 510 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 511 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | -| 512 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 513 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 514 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 515 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 516 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 517 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 518 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 519 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 520 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 521 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 522 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 523 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 524 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 525 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 526 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 527 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 528 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 529 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 530 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 531 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 532 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 533 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 534 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 535 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 536 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 537 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 538 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 539 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 540 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 541 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 542 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 543 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 544 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 545 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 546 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 547 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 548 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 549 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 550 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 551 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 552 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 553 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | -| 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 580 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 581 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 590 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | -| 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | -| 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | -| 599 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | -| 600 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | -| 601 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | -| 602 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | -| 603 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | -| 604 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 605 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 606 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 607 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 608 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 609 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 610 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 611 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 612 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 613 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 614 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 615 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | -| 616 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 617 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 618 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 619 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 620 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 621 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 622 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 623 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 624 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 625 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 626 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 627 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 628 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 629 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 630 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 631 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 632 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 633 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 634 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 635 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 636 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 637 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 638 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 639 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 640 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 641 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 642 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 643 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 644 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 645 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 646 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 647 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 648 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 649 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 650 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 651 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 652 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 653 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 654 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 655 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 656 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 657 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 658 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 659 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 660 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 661 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 662 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 663 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 664 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 665 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 666 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 667 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 668 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 669 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 670 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | -| 671 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 672 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 673 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 674 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 675 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 676 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 677 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 678 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 679 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 680 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 681 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 682 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 683 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 684 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 951 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 955 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | -| 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | -| 964 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | -| 965 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | -| 966 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 967 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | -| 968 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | -| 969 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | -| 970 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | -| 971 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | -| 972 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | -| 973 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | -| 974 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | -| 975 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | -| 976 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | -| 977 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | -| 978 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | -| 979 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 980 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 981 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | -| 982 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | -| 983 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | -| 984 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | -| 985 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | -| 986 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | -| 987 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | -| 988 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | -| 989 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | -| 990 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | -| 991 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | -| 992 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | -| 993 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | -| 994 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | -| 995 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | -| 996 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | -| 997 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | -| 998 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | -| 999 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | -| 1000 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | -| 1001 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | -| 1002 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | -| 1003 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | -| 1004 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | -| 1005 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | -| 1006 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | -| 1007 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | -| 1008 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | -| 1009 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1010 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1011 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | -| 1012 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | -| 1013 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | -| 1014 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | -| 1015 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | -| 1016 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | -| 1017 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | -| 1018 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | -| 1019 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | -| 1020 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | -| 1021 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | -| 1022 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | -| 1023 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | -| 1024 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | -| 1025 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | -| 1026 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | -| 1027 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | -| 1028 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | -| 1029 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | -| 1030 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | -| 1031 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | -| 1032 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | -| 1033 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | -| 1034 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | -| 1035 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | -| 1036 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | -| 1037 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | -| 1038 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | -| 1039 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1040 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1041 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | -| 1042 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | -| 1043 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1044 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1045 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1046 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | -| 1047 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | -| 1048 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | -| 1049 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1050 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1051 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | -| 1052 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | -| 1053 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | -| 1054 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | -| 1055 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | -| 1056 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | -| 1057 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | -| 1058 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | -| 1059 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | -| 1060 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | -| 1061 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1062 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1063 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1064 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1065 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1066 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1067 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1068 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1069 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | -| 1070 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1071 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1072 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1073 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1074 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1075 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1076 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1077 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1078 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1079 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1080 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1081 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1082 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1083 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1084 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1085 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1086 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1087 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1088 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1089 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1090 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1091 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1092 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1093 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1094 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1095 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1096 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1097 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | -| 1098 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1099 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1100 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | -| 1101 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | -| 1102 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | -| 1103 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1104 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1105 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1106 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1107 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1108 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1109 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1110 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1111 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1112 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1113 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1114 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1115 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1116 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | -| 1117 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1118 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1119 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1120 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1121 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1122 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1123 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1124 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1125 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1126 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1127 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1128 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1129 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1130 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1131 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1132 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1133 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1134 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1135 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1136 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1137 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1138 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1139 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1140 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1141 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1142 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1143 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1144 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1145 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1146 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1147 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1148 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1149 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1150 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1151 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1152 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1153 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | -| 1154 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1155 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1156 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1157 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1158 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1159 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1160 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1161 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1162 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1163 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1164 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1165 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1166 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1167 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 1168 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| | Id | Type | Entity | Policy | IaC | +|------|---------------|----------------------------------|------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------| +| 0 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 1 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | +| 2 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | +| 3 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 4 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | +| 5 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | +| 7 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 8 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | +| 9 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 10 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | +| 11 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 12 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | +| 13 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform | +| 14 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 15 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | +| 16 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | +| 17 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | +| 18 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | +| 19 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | +| 20 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | +| 21 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | +| 22 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | +| 23 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 24 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 25 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | +| 26 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 27 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | +| 28 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 29 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | +| 30 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 31 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | +| 32 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 33 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | +| 34 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 35 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | +| 36 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform | +| 37 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform | +| 38 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform | +| 39 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform | +| 40 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform | +| 41 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 42 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 43 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 44 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 45 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | +| 46 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 47 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 48 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 49 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | +| 50 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 51 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 52 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | +| 53 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 54 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | +| 55 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 56 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform | +| 57 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 58 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform | +| 59 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 60 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform | +| 61 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 62 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform | +| 63 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 64 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | +| 65 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 66 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | +| 67 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 68 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | +| 69 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 70 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | +| 71 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 72 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | +| 73 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform | +| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | +| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | +| 77 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 78 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 79 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | +| 80 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | +| 82 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | +| 83 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | +| 84 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 85 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | +| 86 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 87 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | +| 88 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 89 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | +| 90 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 91 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | +| 92 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 93 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | +| 94 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 95 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | +| 96 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 97 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | +| 98 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform | +| 99 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | +| 100 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 101 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | +| 102 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 103 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | +| 104 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 105 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | +| 106 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 107 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform | +| 108 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 109 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | +| 110 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 111 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | +| 112 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 113 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | +| 114 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 115 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | +| 116 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 117 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform | +| 118 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 119 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 120 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 121 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 122 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | +| 123 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 124 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 125 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 126 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | +| 127 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | +| 128 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 129 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | +| 130 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 131 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | +| 132 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 133 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | +| 134 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 135 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | +| 136 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 137 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | +| 138 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 139 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 140 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | +| 141 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | +| 142 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 143 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | +| 144 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | +| 145 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform | +| 147 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 148 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | +| 149 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 150 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | +| 151 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 152 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | +| 153 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | +| 154 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 155 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 156 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | +| 157 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 158 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | +| 159 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | +| 160 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | +| 161 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 162 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | +| 163 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 164 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | +| 165 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 166 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform | +| 167 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 168 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform | +| 169 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 170 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | +| 171 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 172 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | +| 173 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | +| 174 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 175 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 176 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | +| 177 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 178 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform | +| 179 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 180 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 181 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | +| 182 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 183 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | +| 184 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 185 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 186 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | +| 187 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | +| 188 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 189 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 190 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | +| 191 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 192 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | +| 193 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 194 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | +| 195 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | +| 196 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 197 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Terraform | +| 198 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 199 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | +| 200 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 201 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | +| 202 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform | +| 203 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform | +| 204 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 205 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | +| 206 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 207 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | +| 208 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | +| 209 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 210 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 211 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 212 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 213 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 214 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | +| 215 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 216 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 217 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 218 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 219 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 220 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | +| 221 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 222 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 223 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 224 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 225 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 226 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | +| 227 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 228 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 229 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 230 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 231 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 232 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | +| 233 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 234 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 235 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 236 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 237 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 238 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | +| 239 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | +| 240 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | +| 241 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | +| 242 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | +| 243 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | +| 244 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 245 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | +| 246 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using KMS | Terraform | +| 247 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | +| 248 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 249 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | +| 250 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | +| 251 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | +| 252 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 253 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | +| 254 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | +| 255 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | +| 256 | CKV_AWS_128 | resource | aws_rds_cluster | Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled | Terraform | +| 257 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | +| 258 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | +| 259 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | +| 260 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | +| 261 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 262 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | +| 263 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | +| 264 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | +| 265 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | +| 266 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 267 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | +| 268 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | +| 269 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | +| 270 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | +| 271 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that redshift cluster allowing version upgrade by default | Terraform | +| 272 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | +| 273 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | +| 274 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | +| 275 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | +| 276 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | +| 277 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted | Terraform | +| 278 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | +| 279 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS | Terraform | +| 280 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 281 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | +| 282 | CKV_AWS_151 | resource | aws_eks_cluster | Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS | Terraform | +| 283 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 284 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | +| 285 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | +| 286 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | +| 287 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 288 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | +| 289 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 290 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | +| 291 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 292 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | +| 293 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 294 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | +| 295 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 296 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | +| 297 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | +| 298 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 299 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | +| 300 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 301 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | +| 302 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 303 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | +| 304 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 305 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | +| 306 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 307 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure Dynamodb point in time recovery (backup) is enabled for global tables | Terraform | +| 308 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 309 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | +| 310 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 311 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | +| 312 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | +| 313 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | +| 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | +| 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | +| 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 324 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | +| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 329 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 331 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 332 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 333 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 334 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 335 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | +| 337 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 338 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 341 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 342 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 344 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 345 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 347 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | +| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | +| 359 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 360 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | +| 361 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 362 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | +| 363 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 364 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | +| 365 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 366 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | +| 367 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 368 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | +| 369 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 370 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | +| 371 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | +| 372 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | +| 373 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 374 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 375 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | +| 376 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | +| 377 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 378 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 379 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | +| 380 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | +| 381 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 382 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 383 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 384 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 385 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | +| 386 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 387 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 388 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 391 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 392 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | +| 393 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | +| 394 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 395 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | +| 396 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 397 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | +| 398 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 399 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | +| 400 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 401 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | +| 402 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 403 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | +| 404 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 405 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | +| 406 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 407 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | +| 408 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 409 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 410 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 411 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 412 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 413 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 414 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | +| 415 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 416 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 417 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | +| 418 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 419 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | +| 420 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 421 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | +| 422 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 423 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | +| 424 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 425 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | +| 426 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 427 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | +| 428 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 429 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 430 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 431 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 432 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 433 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 434 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 435 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 436 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 437 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 438 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | +| 439 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 440 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 441 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 442 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 443 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 444 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 445 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | +| 446 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 447 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 448 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | +| 449 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 450 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | +| 451 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 452 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | +| 453 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 454 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | +| 455 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 456 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 457 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | +| 458 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 459 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | +| 460 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | +| 461 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 462 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 463 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | +| 464 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 465 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 466 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 467 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 468 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 469 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 470 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 471 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 472 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 473 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 474 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 475 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 476 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 477 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 478 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 479 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 480 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 481 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 482 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 483 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 484 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 485 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 486 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 487 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 488 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 489 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 490 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 491 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 494 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 495 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 496 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 497 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 498 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 499 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 500 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 501 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 502 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 503 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 504 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 505 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 506 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 507 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 508 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 509 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 510 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 511 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | +| 512 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 513 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 514 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 515 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 516 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 517 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 518 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 519 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 520 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 521 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 522 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 523 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 524 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 525 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 526 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 527 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 528 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 529 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 530 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 531 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 532 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 533 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 534 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 535 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 536 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 537 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 538 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 539 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 540 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 541 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 542 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 543 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 544 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 545 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 546 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 547 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 548 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 549 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 550 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 551 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 552 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 553 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | +| 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | +| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 569 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | +| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | +| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 580 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 581 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | +| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | +| 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 591 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | +| 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | +| 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | +| 599 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | +| 600 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | +| 601 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | +| 602 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | +| 603 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | +| 604 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 605 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 606 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 607 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 608 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 609 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 610 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 611 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 612 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 613 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 614 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 615 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | +| 616 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 617 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 618 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 619 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 620 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 621 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 622 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 623 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 624 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 625 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 626 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 627 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 628 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 629 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 630 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 631 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 632 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 633 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 634 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 635 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 636 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 637 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 638 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 639 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 640 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 641 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 642 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 643 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 644 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 645 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 646 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 647 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 648 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 649 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 650 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 651 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 652 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 653 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 654 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 655 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 656 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 657 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 658 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 659 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 660 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 661 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 662 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 663 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 664 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 665 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 666 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 667 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 668 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 669 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 670 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | +| 671 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 672 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 673 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 674 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 675 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 676 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 677 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 678 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 679 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 680 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 681 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 682 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 683 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 684 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 688 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 955 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | +| 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | +| 964 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | +| 965 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | +| 966 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 967 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | +| 968 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | +| 969 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | +| 970 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | +| 971 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | +| 972 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | +| 973 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | +| 974 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | +| 975 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | +| 976 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | +| 977 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | +| 978 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | +| 979 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 980 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 981 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | +| 982 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | +| 983 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | +| 984 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | +| 985 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | +| 986 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | +| 987 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | +| 988 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | +| 989 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | +| 990 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | +| 991 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | +| 992 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | +| 993 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | +| 994 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | +| 995 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | +| 996 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | +| 997 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | +| 998 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | +| 999 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | +| 1000 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | +| 1001 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | +| 1002 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | +| 1003 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | +| 1004 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | +| 1005 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | +| 1006 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | +| 1007 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | +| 1008 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | +| 1009 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1010 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1011 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | +| 1012 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | +| 1013 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | +| 1014 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | +| 1015 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | +| 1016 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | +| 1017 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | +| 1018 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | +| 1019 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | +| 1020 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | +| 1021 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | +| 1022 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | +| 1023 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | +| 1024 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | +| 1025 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | +| 1026 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | +| 1027 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | +| 1028 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | +| 1029 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | +| 1030 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | +| 1031 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | +| 1032 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | +| 1033 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | +| 1034 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | +| 1035 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | +| 1036 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | +| 1037 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | +| 1038 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | +| 1039 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1040 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1041 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | +| 1042 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | +| 1043 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1044 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1045 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1046 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | +| 1047 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | +| 1048 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | +| 1049 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1050 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1051 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | +| 1052 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | +| 1053 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | +| 1054 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | +| 1055 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | +| 1056 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | +| 1057 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | +| 1058 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | +| 1059 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | +| 1060 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | +| 1061 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1062 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1063 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1064 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1065 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1066 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1067 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1068 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1069 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | +| 1070 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1071 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1072 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1073 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1074 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1075 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1076 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1077 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1078 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1079 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1080 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1081 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1082 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1083 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1084 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1085 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1086 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1087 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1088 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1089 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1090 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1091 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1092 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1093 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1094 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1095 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1096 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1097 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | +| 1098 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1099 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1100 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | +| 1101 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | +| 1102 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | +| 1103 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1104 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1105 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1106 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1107 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1108 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1109 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1110 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1111 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1112 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1113 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1114 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1115 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1116 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | +| 1117 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1118 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1119 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1120 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1121 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1122 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1123 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1124 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1125 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1126 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1127 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1128 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1129 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1130 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1131 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1132 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1133 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1134 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1135 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1136 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1137 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1138 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1139 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1140 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1141 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1142 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1143 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1144 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1145 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1146 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1147 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1148 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1149 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1150 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1151 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1152 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1153 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | +| 1154 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1155 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1156 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1157 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1158 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1159 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1160 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1161 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1162 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1163 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1164 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1165 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1166 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1167 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 1168 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 1169 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | +| 1170 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | +| 1171 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | +| 1172 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | +| 1173 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | +| 1174 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | +| 1175 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | +| 1176 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | +| 1177 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | +| 1178 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | +| 1179 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | +| 1180 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | +| 1181 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | +| 1182 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | +| 1183 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | +| 1184 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | +| 1185 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | +| 1186 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | --- From 8b849cbbfe29120005747c23c3420c7f88e22dcc Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 026/203] add secrets to list command (#1480) --- docs/5.Policy Index/serverless.md | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..903b7147ef 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,132 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | + + +--- + + From 3a4739fc67b41aff77a5174c1151aa40ae22fcde Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 14:24:18 +0300 Subject: [PATCH 027/203] Merge pull request #1478 from bridgecrewio/fix_azure_125 Fix CKV_AZURE_125 --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 10a193245f..b81427ff94 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.338' +version = '2.0.339' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index f9404998ed..a63e617704 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.338 +checkov==2.0.339 From 7ef4f231e83649a5e5045da79041789ce628409e Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Mon, 9 Aug 2021 12:36:00 +0100 Subject: [PATCH 028/203] refactored test to use new method --- .../aws/CodeBuildProjectEncryption.py | 10 +-- .../main.tf | 31 ++++++++ .../aws/test_CodeBuildProjectEncryption.py | 77 +++++++------------ 3 files changed, 62 insertions(+), 56 deletions(-) create mode 100644 tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf diff --git a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py index f9c908d008..315bffc5de 100644 --- a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py +++ b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py @@ -16,13 +16,11 @@ def scan_resource_conf(self, conf): return CheckResult.UNKNOWN artifact = conf['artifacts'][0] if isinstance(artifact, dict): - if artifact['type'] == "NO_ARTIFACTS": - self.evaluated_keys = 'artifacts/[0]/type' - elif 'encryption_disabled' in artifact and artifact['encryption_disabled']: - self.evaluated_keys = 'artifacts/[0]/encryption_disabled' + if artifact['type'] == ["NO_ARTIFACTS"]: + return CheckResult.UNKNOWN + if 'encryption_disabled' in artifact: if artifact['encryption_disabled'] == [True]: - return CheckResult.FAILED - + return CheckResult.FAILED return CheckResult.PASSED diff --git a/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf b/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf new file mode 100644 index 0000000000..760dfbf558 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_CodeBuildProjectEncryption/main.tf @@ -0,0 +1,31 @@ +resource "aws_codebuild_project" "fail" { + name = "fail-project" + artifacts { + type = S3 + encryption_disabled = true + } + +} + +resource "aws_codebuild_project" "no_artifacts_encryption_ignored" { + name = "no-art-project" + artifacts { + type = "NO_ARTIFACTS" + encryption_disabled = true + } +} + +resource "aws_codebuild_project" "success_no_encryption_disabled" { + name = "default-project" + artifacts { + type = "S3" + } +} + +resource "aws_codebuild_project" "success" { + name = "success-project" + artifacts { + type = "S3" + encryption_disabled = false + } +} diff --git a/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py b/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py index a39d480939..dc91e79a41 100644 --- a/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py +++ b/tests/terraform/checks/resource/aws/test_CodeBuildProjectEncryption.py @@ -1,62 +1,39 @@ +import os import unittest -from checkov.common.models.enums import CheckResult +from checkov.runner_filter import RunnerFilter from checkov.terraform.checks.resource.aws.CodeBuildProjectEncryption import check +from checkov.terraform.runner import Runner class TestCodeBuildProjectEncryption(unittest.TestCase): + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) - def test_failure(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - "encryption_disabled": True, - } - ], - } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.FAILED, scan_result) - - def test_success_type_no_artifacts_encryption_ignored(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "NO_ARTIFACTS", - "encryption_disabled": True, - } - ], - } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - def test_success_no_encryption_disabled(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - } - ], + test_files_dir = current_dir + "/example_CodeBuildProjectEncryption" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "aws_codebuild_project.success_no_encryption_disabled", + "aws_codebuild_project.success" } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) - - def test_success(self): - resource_conf = { - "name": "test-project", - "artifacts": [ - { - "type": "S3", - "encryption_disabled": False, - } - ], + failing_resources = { + "aws_codebuild_project.fail", } - scan_result = check.scan_resource_conf(conf=resource_conf) - self.assertEqual(CheckResult.PASSED, scan_result) + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) -if __name__ == '__main__': +if __name__ == "__main__": unittest.main() From da3ed51478909faf2d39154afd81a4b21791e864 Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 029/203] add secrets to list command (#1480) --- docs/5.Policy Index/terraform.md | 568 +++++++++++++++---------------- 1 file changed, 284 insertions(+), 284 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 76675031cc..357bd97cd2 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -200,8 +200,8 @@ nav_order: 1 | 189 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 192 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | @@ -229,8 +229,8 @@ nav_order: 1 | 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 219 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 221 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -390,22 +390,22 @@ nav_order: 1 | 379 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 393 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 400 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | @@ -413,19 +413,19 @@ nav_order: 1 | 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 412 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 415 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -510,271 +510,271 @@ nav_order: 1 | 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 502 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 752 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 753 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | From 787ecf0ab7f03d52142dd57dccba598a4042c2fa Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 14:24:18 +0300 Subject: [PATCH 030/203] Merge pull request #1478 from bridgecrewio/fix_azure_125 Fix CKV_AZURE_125 --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From f30ce29afc4075da5ba0b95493ef41c78d07afbc Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 031/203] add secrets to list command (#1480) --- docs/5.Policy Index/all.md | 580 ++++++++++++++++++------------------- 1 file changed, 290 insertions(+), 290 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 6726337d03..630b72b079 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,8 +327,8 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 319 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 320 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | @@ -342,8 +342,8 @@ nav_order: 1 | 331 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 332 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 333 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 334 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 335 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 337 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 338 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | @@ -362,8 +362,8 @@ nav_order: 1 | 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 354 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 355 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -568,22 +568,22 @@ nav_order: 1 | 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 569 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 571 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 572 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | @@ -591,18 +591,18 @@ nav_order: 1 | 580 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 581 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 591 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | @@ -696,279 +696,279 @@ nav_order: 1 | 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 764 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 850 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 955 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 0a91e2ff00d3ad7ccf85d63fc348b4528bb60002 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 14:24:18 +0300 Subject: [PATCH 032/203] Merge pull request #1478 from bridgecrewio/fix_azure_125 Fix CKV_AZURE_125 --- docs/5.Policy Index/serverless.md | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..903b7147ef 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,132 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | + + +--- + + From 6de33a3440ff358968bfc97c1c606bf0104e7f1b Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Mon, 9 Aug 2021 14:34:39 +0300 Subject: [PATCH 033/203] add secrets to list command (#1480) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index b81427ff94..5e9948e293 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.339' +version = '2.0.340' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index a63e617704..9568462bbc 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.339 +checkov==2.0.340 From c4f3904887afffce899f36ab7107cf67a2f01841 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 18:19:39 +0300 Subject: [PATCH 034/203] Fix Integration Tests consistency (#1481) * Add logs to IT run * Add echo to command * Run API key tests only on 3.7 * Fix switch case * Fix if 2 * Add a retry for platform integration in progress * Fix built in function * Add info log * Revert UT comment-out * Increase retry count and sleep time --- .../common/bridgecrew/platform_integration.py | 137 ++++++++++-------- integration_tests/prepare_data.sh | 2 +- .../test_checkov_cli_integration_report.py | 4 +- 3 files changed, 79 insertions(+), 64 deletions(-) diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py index c29e7ecc20..f52a53e612 100644 --- a/checkov/common/bridgecrew/platform_integration.py +++ b/checkov/common/bridgecrew/platform_integration.py @@ -1,20 +1,21 @@ +import json +import logging import os.path +import re +import time +import webbrowser from concurrent import futures +from json import JSONDecodeError +from os import path from time import sleep +from typing import Optional import boto3 import dpath.util -import json -import logging -import re import requests import urllib3 -import webbrowser from botocore.exceptions import ClientError from colorama import Style -# from git import Repo -from json import JSONDecodeError -from os import path from termcolor import colored from tqdm import trange from urllib3.exceptions import HTTPError @@ -35,7 +36,7 @@ UNAUTHORIZED_MESSAGE = 'User is not authorized to access this resource with an explicit deny' DEFAULT_REGION = "us-west-2" - +MAX_RETRIES = 10 ONBOARDING_SOURCE = "checkov" SIGNUP_HEADER = { @@ -44,6 +45,7 @@ 'Content-Type': 'application/json;charset=UTF-8' } + class BcPlatformIntegration(object): def __init__(self): self.bc_api_key = read_key() @@ -144,7 +146,7 @@ def setup_bridgecrew_credentials(self, bc_api_key, repo_id, skip_fixes=False, sk def get_s3_role(self, bc_api_key, repo_id): request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), - headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) + headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) response = json.loads(request.data.decode("utf8")) while ('Message' in response or 'message' in response): if 'Message' in response and response['Message'] == UNAUTHORIZED_MESSAGE: @@ -152,7 +154,7 @@ def get_s3_role(self, bc_api_key, repo_id): if 'message' in response and "cannot be found" in response['message']: self.loading_output("creating role") request = self.http.request("POST", self.integrations_api_url, body=json.dumps({"repoId": repo_id}), - headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) + headers={"Authorization": bc_api_key, "Content-Type": "application/json"}) response = json.loads(request.data.decode("utf8")) repo_full_path = response["path"] @@ -165,13 +167,15 @@ def is_integration_configured(self): """ return self.platform_integration_configured - def persist_repository(self, root_dir, files=None, excluded_paths=[]): + def persist_repository(self, root_dir, files=None, excluded_paths=None): """ Persist the repository found on root_dir path to Bridgecrew's platform. If --file flag is used, only files that are specified will be persisted. :param files: Absolute path of the files passed in the --file flag. :param root_dir: Absolute path of the directory containing the repository root level. + :param excluded_paths: Paths to exclude from persist process """ + excluded_paths = excluded_paths if excluded_paths is not None else [] if not self.use_s3_integration: return @@ -222,36 +226,48 @@ def commit_repository(self, branch): :param branch: branch to be persisted Finalize the repository's scanning in bridgecrew's platform. """ - if not self.use_s3_integration: - return + try_num = 0 + while try_num < MAX_RETRIES: + if not self.use_s3_integration: + return - request = None - try: + request = None + response = None + try: - request = self.http.request("PUT", f"{self.integrations_api_url}?source={self.bc_source.name}", - body=json.dumps({"path": self.repo_path, "branch": branch, "to_branch": BC_TO_BRANCH, - "pr_id": BC_PR_ID, "pr_url": BC_PR_URL, - "commit_hash": BC_COMMIT_HASH, "commit_url": BC_COMMIT_URL, - "author": BC_AUTHOR_NAME, "author_url": BC_AUTHOR_URL, - "run_id": BC_RUN_ID, "run_url": BC_RUN_URL, - "repository_url": BC_REPOSITORY_URL}), - headers={"Authorization": self.bc_api_key, "Content-Type": "application/json", - 'x-api-client': self.bc_source.name, 'x-api-checkov-version': checkov_version - }) - response = json.loads(request.data.decode("utf8")) - url = response.get("url", None) - return url - except HTTPError as e: - logging.error(f"Failed to commit repository {self.repo_path}\n{e}") - raise e - except JSONDecodeError as e: - logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}") - raise e - finally: - if request.status == 201 and response["result"] == "Success": - logging.info(f"Finalize repository {self.repo_id} in bridgecrew's platform") - else: - raise Exception(f"Failed to finalize repository {self.repo_id} in bridgecrew's platform\n{response}") + request = self.http.request("PUT", f"{self.integrations_api_url}?source={self.bc_source.name}", + body=json.dumps( + {"path": self.repo_path, "branch": branch, "to_branch": BC_TO_BRANCH, + "pr_id": BC_PR_ID, "pr_url": BC_PR_URL, + "commit_hash": BC_COMMIT_HASH, "commit_url": BC_COMMIT_URL, + "author": BC_AUTHOR_NAME, "author_url": BC_AUTHOR_URL, + "run_id": BC_RUN_ID, "run_url": BC_RUN_URL, + "repository_url": BC_REPOSITORY_URL}), + headers={"Authorization": self.bc_api_key, + "Content-Type": "application/json", + 'x-api-client': self.bc_source.name, + 'x-api-checkov-version': checkov_version + }) + response = json.loads(request.data.decode("utf8")) + url = response.get("url", None) + return url + except HTTPError as e: + logging.error(f"Failed to commit repository {self.repo_path}\n{e}") + raise e + except JSONDecodeError as e: + logging.error(f"Response of {self.integrations_api_url} is not a valid JSON\n{e}") + raise e + finally: + if request.status == 201 and response and response.get("result") == "Success": + logging.info(f"Finalize repository {self.repo_id} in bridgecrew's platform") + elif try_num < MAX_RETRIES and re.match('The integration ID .* in progress', + response.get('message', '')): + logging.info(f"Failed to persist for repo {self.repo_id}, sleeping for 2 seconds before retrying") + try_num += 1 + sleep(3) + else: + raise Exception( + f"Failed to finalize repository {self.repo_id} in bridgecrew's platform\n{response}") def _persist_file(self, full_file_path, relative_file_path): tries = 4 @@ -290,8 +306,8 @@ def get_ckv_to_bc_id_mapping(self) -> dict: self.get_checkov_mapping_metadata() return self.ckv_to_bc_id_mapping - def get_checkov_mapping_metadata(self) -> dict: - BC_SKIP_MAPPING = os.getenv("BC_SKIP_MAPPING","FALSE") + def get_checkov_mapping_metadata(self) -> Optional[dict]: + BC_SKIP_MAPPING = os.getenv("BC_SKIP_MAPPING", "FALSE") if BC_SKIP_MAPPING.upper() == "TRUE": logging.debug(f"Skipped mapping API call") self.ckv_to_bc_id_mapping = {} @@ -324,7 +340,7 @@ def onboarding(self): "\t" + u"\u25E6 " + "\tAutomated cloud resource checks\n" "\t" + u"\u25E6 " + "\tResource drift detection\n" "\n" - "\n" + "and much more...",'yellow') + + "\n" + "and much more...",'yellow') + colored("\n\nIt's easy and only takes 2 minutes. We can do it right now!\n\n" "To Level-up, press 'y'... \n", 'cyan') + Style.RESET_ALL) @@ -339,7 +355,7 @@ def onboarding(self): org = self._input_orgname() print(Style.BRIGHT + colored("\nAmazing!" "\nWe are now generating a personal API key to immediately enable some new features… ",'green', attrs=['bold'])) - + bc_api_token, response = self.get_api_token(email, org) self.bc_api_key = bc_api_token if response.status_code == 200: @@ -350,14 +366,14 @@ def onboarding(self): print(Style.BRIGHT + colored("Checkov Dashboard is configured, opening https://bridgecrew.cloud to explore your new powers.", 'green', attrs=['bold'])) print(Style.BRIGHT + colored("FYI - check your inbox for login details! \n", 'green')) - print(Style.BRIGHT + colored("Congratulations! You’ve just super-sized your Checkov! Why not test-drive image scanning now:",'cyan')) + print(Style.BRIGHT + colored("Congratulations! You’ve just super-sized your Checkov! Why not test-drive image scanning now:",'cyan')) print(Style.BRIGHT + colored("\ncheckov --docker-image ubuntu --dockerfile-path /Users/bob/workspaces/bridgecrew/Dockerfile --repo-id bob/test --branch master\n",'white')) - print(Style.BRIGHT + colored("Or download our VS Code plugin: https://github.com/bridgecrewio/checkov-vscode \n", 'cyan',attrs=['bold'])) + print(Style.BRIGHT + colored("Or download our VS Code plugin: https://github.com/bridgecrewio/checkov-vscode \n", 'cyan',attrs=['bold'])) + + print(Style.BRIGHT + colored( "Interested in contributing to Checkov as an open source developer. We thought you’d never ask. Check us out at: \nhttps://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 \n", 'white', attrs=['bold'])) - print(Style.BRIGHT + colored( "Interested in contributing to Checkov as an open source developer. We thought you’d never ask. Check us out at: \nhttps://github.com/bridgecrewio/checkov/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 \n", 'white', attrs=['bold'])) - else: print( Style.BRIGHT + colored("\nCould not create account, please try again on your next scan! \n", @@ -379,18 +395,18 @@ def get_report_to_platform(self, args, scan_reports): if self.is_integration_configured(): self._upload_run(args, scan_reports) -# Added this to generate a default repo_id for cli scans for upload to the platform -# whilst also persisting a cli repo_id into the object + # Added this to generate a default repo_id for cli scans for upload to the platform + # whilst also persisting a cli repo_id into the object def persist_bc_api_key(self, args): if args.bc_api_key: - self.bc_api_key=args.bc_api_key - else: + self.bc_api_key = args.bc_api_key + else: # get the key from file - self.bc_api_key=read_key() - return self.bc_api_key + self.bc_api_key = read_key() + return self.bc_api_key -# Added this to generate a default repo_id for cli scans for upload to the platform -# whilst also persisting a cli repo_id into the object + # Added this to generate a default repo_id for cli scans for upload to the platform + # whilst also persisting a cli repo_id into the object def persist_repo_id(self, args): if args.repo_id is None: if BC_FROM_BRANCH: @@ -402,10 +418,10 @@ def persist_repo_id(self, args): # Get the base path of the file based on it's absolute path basename = os.path.basename(os.path.dirname(os.path.abspath(args.file[0]))) self.repo_id = "cli_repo/" + basename - - else: - self.repo_id=args.repo_id - return self.repo_id + + else: + self.repo_id = args.repo_id + return self.repo_id def get_repository(self, args): if BC_FROM_BRANCH: @@ -449,7 +465,7 @@ def _create_bridgecrew_account(self, email, org): return response else: raise Exception("failed to create a bridgecrew account. An organization with this name might already " - "exist with this email address. Please login bridgecrew.cloud to retrieve access key"); + "exist with this email address. Please login bridgecrew.cloud to retrieve access key") def _input_orgname(self): valid = False @@ -484,6 +500,7 @@ def _input_levelup_results(self): def _input_email(self): valid_email = False + email = '' while not valid_email: email = str(input('E-Mail: ')).lower().strip() # nosec if re.search(EMAIL_PATTERN, email): diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh index 6629018018..c398933af5 100755 --- a/integration_tests/prepare_data.sh +++ b/integration_tests/prepare_data.sh @@ -9,4 +9,4 @@ pipenv run checkov -s --framework terraform --skip-check CKV_AWS_33,CKV_AWS_41 - pipenv run checkov -s -d cfngoat/ -o json --quiet > checkov_report_cfngoat_quiet.json pipenv run checkov -s -d terragoat/terraform/ --config-file integration_tests/example_config_files/config.yaml -o json > checkov_config_report_terragoat.json pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt -pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt \ No newline at end of file +pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py index 9315e310f9..c210227358 100644 --- a/integration_tests/test_checkov_cli_integration_report.py +++ b/integration_tests/test_checkov_cli_integration_report.py @@ -1,5 +1,3 @@ -import itertools -import json import os import unittest @@ -21,7 +19,7 @@ def validate_report(self, report_path): with open(report_path) as f: if 'More details: https://www.bridgecrew.cloud/codeReview/' in f.read(): platform_url_found = True - self.assertTrue(platform_url_found,"when using api key, platform code review url should exist") + self.assertTrue(platform_url_found, "when using api key, platform code review url should exist") if __name__ == '__main__': From 5bb6801cf5300e52912d41c18d8b531a35d8beea Mon Sep 17 00:00:00 2001 From: Radoslav Denchev <42907623+rdenchev@users.noreply.github.com> Date: Thu, 5 Aug 2021 16:18:22 +0000 Subject: [PATCH 035/203] Merge 2237d42c4848084a668f560e37d9b3f36ad08dff into bb3eeeba409cd83311690724af54af67882a115d --- docs/5.Policy Index/terraform.md | 608 +++++++++++++++---------------- 1 file changed, 304 insertions(+), 304 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 357bd97cd2..0310dc9733 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -200,19 +200,19 @@ nav_order: 1 | 189 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 192 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 201 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 201 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 206 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 207 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -224,21 +224,21 @@ nav_order: 1 | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 216 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 219 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 219 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 226 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 226 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 229 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 229 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -387,45 +387,45 @@ nav_order: 1 | 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 409 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 412 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 412 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 415 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -510,276 +510,276 @@ nav_order: 1 | 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 502 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 690 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 764 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | From cc4305e6d4c0cca6733999bb191c6422032c28f9 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 18:19:39 +0300 Subject: [PATCH 036/203] Fix Integration Tests consistency (#1481) * Add logs to IT run * Add echo to command * Run API key tests only on 3.7 * Fix switch case * Fix if 2 * Add a retry for platform integration in progress * Fix built in function * Add info log * Revert UT comment-out * Increase retry count and sleep time --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From ad86eea0eb360d8cafd8e6064c8df2aa6d58e630 Mon Sep 17 00:00:00 2001 From: Radoslav Denchev <42907623+rdenchev@users.noreply.github.com> Date: Thu, 5 Aug 2021 16:18:22 +0000 Subject: [PATCH 037/203] Merge 2237d42c4848084a668f560e37d9b3f36ad08dff into bb3eeeba409cd83311690724af54af67882a115d --- docs/5.Policy Index/all.md | 590 ++++++++++++++++++------------------- 1 file changed, 295 insertions(+), 295 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 630b72b079..1ce2396f08 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,15 +327,15 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 324 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 326 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 327 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 328 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 329 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -345,12 +345,12 @@ nav_order: 1 | 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 337 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 338 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 337 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 338 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 341 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 342 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 342 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 344 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 345 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -359,8 +359,8 @@ nav_order: 1 | 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 351 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 352 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 354 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 355 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -568,22 +568,22 @@ nav_order: 1 | 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | @@ -591,19 +591,19 @@ nav_order: 1 | 580 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 581 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 590 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 590 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 591 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -696,277 +696,277 @@ nav_order: 1 | 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 863 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 951 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 951 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 955 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 954 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 955 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 86b51368049f61f7c16430f490bfb79f021062fb Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 18:19:39 +0300 Subject: [PATCH 038/203] Fix Integration Tests consistency (#1481) * Add logs to IT run * Add echo to command * Run API key tests only on 3.7 * Fix switch case * Fix if 2 * Add a retry for platform integration in progress * Fix built in function * Add info log * Revert UT comment-out * Increase retry count and sleep time --- docs/5.Policy Index/serverless.md | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..903b7147ef 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,132 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | + + +--- + + From 4ef1e2ebceb309e984f5a95aab2e54903ca39b2e Mon Sep 17 00:00:00 2001 From: Radoslav Denchev <42907623+rdenchev@users.noreply.github.com> Date: Thu, 5 Aug 2021 16:18:22 +0000 Subject: [PATCH 039/203] Merge 2237d42c4848084a668f560e37d9b3f36ad08dff into bb3eeeba409cd83311690724af54af67882a115d --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 5e9948e293..b0ae603b82 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.340' +version = '2.0.341' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 9568462bbc..8eb6954394 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.340 +checkov==2.0.341 From 5da7bf4718d319de38c1921855824dbcf300983b Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 9 Aug 2021 18:54:46 +0300 Subject: [PATCH 040/203] Integration tests fixes #2 (#1482) * Add logs to IT run * Add echo to command * Run API key tests only on 3.7 * Fix switch case * Fix if 2 * Add a retry for platform integration in progress * Fix built in function * Add info log * Revert UT comment-out * Increase retry count and sleep time * Run api-key tests only on python 3.7 * [[ => [ * Fix if-else using bash * Re-enable regular UTs --- .github/workflows/build.yml | 2 +- .github/workflows/pr-test.yml | 2 +- integration_tests/prepare_data.sh | 9 ++++++--- .../test_checkov_cli_integration_report.py | 12 +++++++----- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8eb2b1e7fc..8a5a65878c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,7 +41,7 @@ jobs: - name: Create checkov reports run: | sleep $((RANDOM % 11)) - sh integration_tests/prepare_data.sh + sh integration_tests/prepare_data.sh ${{ matrix.python }} env: BC_KEY: ${{ secrets.BC_API_KEY }} - name: Run integration tests diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index e338ac0d40..960b777d48 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -75,7 +75,7 @@ jobs: BC_KEY: ${{ secrets.BC_API_KEY }} run: | sleep $((RANDOM % 11)) - sh integration_tests/prepare_data.sh + ./integration_tests/prepare_data.sh ${{ matrix.python }} - name: Run integration tests run: | pipenv run pytest integration_tests diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh index c398933af5..e8b24ee503 100755 --- a/integration_tests/prepare_data.sh +++ b/integration_tests/prepare_data.sh @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash pipenv run checkov -s --framework terraform -d terragoat/terraform/ -o json > checkov_report_terragoat.json pipenv run checkov -s --framework terraform -d terragoat/terraform/ -o junitxml > checkov_report_terragoat.xml @@ -8,5 +8,8 @@ pipenv run checkov -s -d kubernetes-goat/ --framework helm -o json > checkov_rep pipenv run checkov -s --framework terraform --skip-check CKV_AWS_33,CKV_AWS_41 -d terragoat/terraform/ -o json > checkov_report_terragoat_with_skip.json pipenv run checkov -s -d cfngoat/ -o json --quiet > checkov_report_cfngoat_quiet.json pipenv run checkov -s -d terragoat/terraform/ --config-file integration_tests/example_config_files/config.yaml -o json > checkov_config_report_terragoat.json -pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt -pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt +if [[ "$1" == "3.7" ]] +then + pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt + pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt +fi diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py index c210227358..70ca207e7c 100644 --- a/integration_tests/test_checkov_cli_integration_report.py +++ b/integration_tests/test_checkov_cli_integration_report.py @@ -1,4 +1,5 @@ import os +import sys import unittest current_dir = os.path.dirname(os.path.realpath(__file__)) @@ -15,11 +16,12 @@ def test_terragoat_report_file(self): self.validate_report(os.path.abspath(report_path)) def validate_report(self, report_path): - platform_url_found = False - with open(report_path) as f: - if 'More details: https://www.bridgecrew.cloud/codeReview/' in f.read(): - platform_url_found = True - self.assertTrue(platform_url_found, "when using api key, platform code review url should exist") + if sys.version_info[1] == 7: + platform_url_found = False + with open(report_path) as f: + if 'More details: https://www.bridgecrew.cloud/codeReview/' in f.read(): + platform_url_found = True + self.assertTrue(platform_url_found, "when using api key, platform code review url should exist") if __name__ == '__main__': From 924c1c27baeb472d4f08755eb3c0dac7f485ded7 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 041/203] Fix build flow --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a5a65878c..b8661461a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,7 +41,7 @@ jobs: - name: Create checkov reports run: | sleep $((RANDOM % 11)) - sh integration_tests/prepare_data.sh ${{ matrix.python }} + ./integration_tests/prepare_data.sh ${{ matrix.python }} env: BC_KEY: ${{ secrets.BC_API_KEY }} - name: Run integration tests From f7627a7d770792f268a16c746d7664280b8541e6 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 042/203] Fix build flow --- docs/5.Policy Index/cloudformation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/5.Policy Index/cloudformation.md b/docs/5.Policy Index/cloudformation.md index 30187fa544..f3e710f8cc 100644 --- a/docs/5.Policy Index/cloudformation.md +++ b/docs/5.Policy Index/cloudformation.md @@ -130,6 +130,7 @@ nav_order: 1 | 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | | 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | | 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | --- From eecd69421ae90d483c49506e4c40b20ef330f1ef Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 043/203] Fix build flow --- docs/5.Policy Index/terraform.md | 1139 +++++++++++++++--------------- 1 file changed, 570 insertions(+), 569 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 0310dc9733..507051f779 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -200,592 +200,593 @@ nav_order: 1 | 189 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 192 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 201 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 206 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 207 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 208 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 209 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 212 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 219 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 224 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 225 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 226 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 229 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 232 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 233 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 234 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 235 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 236 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 237 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 238 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 239 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | -| 240 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 241 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 242 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 243 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 244 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 245 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 246 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 247 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 248 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 249 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 250 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 251 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 252 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 253 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 254 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 255 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 256 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 257 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 258 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 259 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 260 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 261 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 262 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 263 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 264 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 265 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 266 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 267 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 268 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 269 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 270 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 271 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 272 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 273 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 274 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 275 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 276 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 277 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 278 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 279 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 280 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 281 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 282 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 283 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | -| 284 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 285 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 286 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | -| 287 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 288 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 289 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 290 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 291 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 292 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 293 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 294 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 295 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 296 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 297 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 298 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 299 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 300 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 301 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 302 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 303 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 304 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 305 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 306 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 307 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 308 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 309 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 310 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 311 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 312 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 313 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 314 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 315 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 316 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 317 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 318 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 319 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 320 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 321 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 322 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 323 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 324 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 325 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 326 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 327 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 328 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 329 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 330 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 331 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 332 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 333 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 334 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | -| 335 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 336 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 337 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 338 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 339 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 340 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 341 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 342 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 343 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 344 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 345 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 346 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 347 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 348 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 349 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 350 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 351 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 352 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 353 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 354 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 355 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 356 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 357 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 358 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 359 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 360 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 361 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 362 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 363 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 364 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 365 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 366 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 367 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 368 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 369 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 370 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 371 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | -| 372 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 373 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 374 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 375 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 376 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 377 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 378 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 379 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 235 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 236 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 237 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 238 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 239 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 240 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | +| 241 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 242 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 243 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 244 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 245 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 246 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 247 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 248 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 249 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 250 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 251 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 252 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 253 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 254 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 255 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 256 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 257 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 258 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 259 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 260 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 261 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 262 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 263 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 264 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 265 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 266 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 267 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 268 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 269 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 270 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 271 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 272 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 273 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 274 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 275 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 276 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 277 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 278 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 279 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 280 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 281 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 282 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 283 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 284 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | +| 285 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 286 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 287 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | +| 288 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 289 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 290 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 291 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 292 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 293 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 294 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 295 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 296 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 297 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 298 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 299 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 300 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 301 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 302 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 303 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 304 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 305 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 306 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 307 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 308 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 309 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 310 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 311 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 312 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 313 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 314 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 315 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 316 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 317 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 318 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 319 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 320 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 321 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 322 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 323 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 324 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 325 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 326 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 327 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 328 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 329 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 330 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 331 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 332 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 333 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 334 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 335 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | +| 336 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 337 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 338 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 339 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 340 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 341 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 342 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 343 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 344 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 345 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 346 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 347 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 348 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 349 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 350 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 351 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 352 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 353 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 354 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 355 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 356 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 357 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 358 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 359 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 360 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 361 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 362 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 363 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 364 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 365 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 366 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 367 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 368 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 369 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 370 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 371 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 372 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 373 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 374 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 375 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 376 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 393 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 396 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 399 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 400 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 405 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 412 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 419 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 420 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 421 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 422 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 423 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 424 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 425 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 426 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 427 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 428 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 429 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | -| 430 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 431 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 432 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 433 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 434 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 435 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 436 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 437 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 438 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 439 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 440 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 441 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 442 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 443 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 444 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 445 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 446 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 447 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 448 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 449 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 450 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 451 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 452 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 453 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 454 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 455 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 456 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 457 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 458 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 459 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 460 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 461 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 462 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 463 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 464 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 465 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 466 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 467 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 468 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 469 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 470 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 471 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 472 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 473 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 474 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 475 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 476 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 477 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 478 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 479 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 480 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 481 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 482 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 483 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 484 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | -| 485 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 486 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 487 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 488 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 489 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 490 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 491 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 492 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 493 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 494 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 495 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 496 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 497 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 498 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 499 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 500 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 501 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 502 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 503 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 422 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 423 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 424 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 425 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 426 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 427 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 428 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 429 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 430 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | +| 431 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 432 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 433 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 434 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 435 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 436 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 437 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 438 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 439 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 440 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 441 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 442 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 443 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 444 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 445 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 446 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 447 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 448 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 449 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 450 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 451 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 452 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 453 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 454 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 455 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 456 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 457 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 458 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 459 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 460 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 461 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 462 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 463 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 464 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 465 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 466 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 467 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 468 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 469 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 470 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 471 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 472 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 473 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 474 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 475 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 476 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 477 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 478 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 479 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 480 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 481 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 482 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 483 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 484 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 485 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | +| 486 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 487 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 488 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 489 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 490 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 491 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 492 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 493 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 494 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 495 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 496 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 497 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 498 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 499 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 503 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 776 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 777 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | --- From 714d1f5e3a76623e39729c648e2885b0092bc792 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 044/203] Fix build flow --- docs/5.Policy Index/serverless.md | 129 ------------------------------ 1 file changed, 129 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 903b7147ef..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,132 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | - - ---- - - From 7dde31709756c1a272e51a30e737602a5d881605 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 045/203] Fix build flow --- docs/5.Policy Index/all.md | 1730 ++++++++++++++++++------------------ 1 file changed, 866 insertions(+), 864 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 1ce2396f08..012aeaa257 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -325,876 +325,878 @@ nav_order: 1 | 314 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 315 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | -| 317 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 318 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 319 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 320 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 321 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 322 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 323 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 324 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 325 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 326 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 327 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 328 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 329 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 330 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | -| 331 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | -| 332 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | -| 333 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 334 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 335 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 336 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 337 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 338 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 339 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 340 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 341 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 342 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 343 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 344 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 345 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 346 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 347 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 348 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | -| 349 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | -| 350 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 351 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 352 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 353 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 354 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 355 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 356 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 357 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | -| 358 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | -| 359 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | -| 360 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | -| 361 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | -| 362 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | -| 363 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | -| 364 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | -| 365 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | -| 366 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | -| 367 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | -| 368 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | -| 369 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | -| 370 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | -| 371 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | -| 372 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | -| 373 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | -| 374 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | -| 375 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | -| 376 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | -| 377 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | -| 378 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | -| 379 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | -| 380 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | -| 381 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 382 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 383 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 384 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | -| 385 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | -| 386 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | -| 387 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 388 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | -| 391 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | -| 392 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | -| 393 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | -| 394 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | -| 395 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | -| 396 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | -| 397 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | -| 398 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | -| 399 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | -| 400 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | -| 401 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | -| 402 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | -| 403 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | -| 404 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | -| 405 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | -| 406 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | -| 407 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | -| 408 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 409 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 410 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | -| 411 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | -| 412 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 413 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | -| 414 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | -| 415 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 416 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | -| 417 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | -| 418 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | -| 419 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | -| 420 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | -| 421 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | -| 422 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | -| 423 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | -| 424 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | -| 425 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | -| 426 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | -| 427 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | -| 428 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 429 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 430 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | -| 431 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 432 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 433 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | -| 434 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | -| 435 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 436 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | -| 437 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | -| 438 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | -| 439 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | -| 440 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 441 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 442 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | -| 443 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 444 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | -| 445 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | -| 446 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 447 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | -| 448 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | -| 449 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | -| 450 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | -| 451 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | -| 452 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | -| 453 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | -| 454 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | -| 455 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | -| 456 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | -| 457 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | -| 458 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | -| 459 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | -| 460 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | -| 461 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | -| 462 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | -| 463 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | -| 464 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | -| 465 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | -| 466 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | -| 467 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 468 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | -| 469 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | -| 470 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | -| 471 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | -| 472 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | -| 473 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | -| 474 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | -| 475 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | -| 476 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | -| 477 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | -| 478 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | -| 479 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | -| 480 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | -| 481 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | -| 482 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | -| 483 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | -| 484 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | -| 485 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | -| 486 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | -| 487 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | -| 488 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | -| 489 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | -| 490 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | -| 491 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | -| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | -| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | -| 494 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | -| 495 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | -| 496 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | -| 497 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | -| 498 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | -| 499 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | -| 500 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | -| 501 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | -| 502 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | -| 503 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | -| 504 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | -| 505 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | -| 506 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | -| 507 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | -| 508 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | -| 509 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | -| 510 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | -| 511 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | -| 512 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | -| 513 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 514 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | -| 515 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | -| 516 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | -| 517 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | -| 518 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | -| 519 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 520 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | -| 521 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | -| 522 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | -| 523 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | -| 524 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | -| 525 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | -| 526 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | -| 527 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | -| 528 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | -| 529 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | -| 530 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | -| 531 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | -| 532 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | -| 533 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | -| 534 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | -| 535 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | -| 536 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | -| 537 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | -| 538 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | -| 539 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | -| 540 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | -| 541 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | -| 542 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | -| 543 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | -| 544 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | -| 545 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | -| 546 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | -| 547 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | -| 548 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | -| 549 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | -| 550 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | -| 551 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | -| 552 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | -| 553 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | -| 554 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | -| 555 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | -| 556 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 557 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 558 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 559 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 560 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | +| 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | +| 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | +| 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | +| 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | +| 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | +| 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | +| 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | +| 361 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | +| 362 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | +| 363 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform | +| 364 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | +| 365 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | +| 366 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | +| 367 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | +| 368 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | +| 369 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | +| 370 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | +| 371 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | +| 372 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | +| 373 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform | +| 374 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | +| 375 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | +| 376 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | +| 377 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | +| 378 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | +| 379 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | +| 380 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | +| 381 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | +| 382 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | +| 383 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 384 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 385 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 386 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | +| 387 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | +| 388 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | +| 389 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 390 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 391 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 392 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | +| 393 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | +| 394 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | +| 395 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | +| 396 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | +| 397 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | +| 398 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | +| 399 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | +| 400 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | +| 401 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | +| 402 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | +| 403 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | +| 404 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | +| 405 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | +| 406 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | +| 407 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | +| 408 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | +| 409 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | +| 410 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 411 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 412 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | +| 413 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | +| 414 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 415 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | +| 416 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | +| 417 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 418 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | +| 419 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | +| 420 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | +| 421 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | +| 422 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | +| 423 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | +| 424 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | +| 425 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | +| 426 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | +| 427 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | +| 428 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | +| 429 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | +| 430 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 431 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 432 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | +| 433 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 434 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 435 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | +| 436 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | +| 437 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 438 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | +| 439 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | +| 440 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | +| 441 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | +| 442 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 443 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 444 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | +| 445 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 446 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | +| 447 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | +| 448 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 449 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | +| 450 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | +| 451 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | +| 452 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | +| 453 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | +| 454 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm | +| 455 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | +| 456 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | +| 457 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | +| 458 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | +| 459 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | +| 460 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | +| 461 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | +| 462 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform | +| 463 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | +| 464 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | +| 465 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform | +| 466 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | +| 467 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | +| 468 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | +| 469 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 470 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | +| 471 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | +| 472 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | +| 473 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | +| 474 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | +| 475 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | +| 476 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | +| 477 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | +| 478 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | +| 479 | CKV_AZURE_60 | resource | azurerm_storage_account | Ensure that storage account enables secure transfer | Terraform | +| 480 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | +| 481 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | +| 482 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | +| 483 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | +| 484 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | +| 485 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | +| 486 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | +| 487 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | +| 488 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | +| 489 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | +| 490 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | +| 491 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | +| 492 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | +| 493 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | +| 494 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | +| 495 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | +| 496 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses disk encryption | Terraform | +| 497 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | +| 498 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | +| 499 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | +| 500 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | +| 501 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | +| 502 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | +| 503 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | +| 504 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | +| 505 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | +| 506 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | +| 507 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | +| 508 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | +| 509 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | +| 510 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | +| 511 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | +| 512 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | +| 513 | CKV_AZURE_90 | resource | azurerm_mysql_server | Ensure that MySQL server disables public network access | Terraform | +| 514 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | +| 515 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 516 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | +| 517 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | +| 518 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | +| 519 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | +| 520 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | +| 521 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 522 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | +| 523 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | +| 524 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | +| 525 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | +| 526 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | +| 527 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | +| 528 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | +| 529 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | +| 530 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | +| 531 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | +| 532 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | +| 533 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | +| 534 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | +| 535 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | +| 536 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | +| 537 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | +| 538 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | +| 539 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | +| 540 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | +| 541 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | +| 542 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | +| 543 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | +| 544 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | +| 545 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | +| 546 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | +| 547 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | +| 548 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | +| 549 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | +| 550 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | +| 551 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | +| 552 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | +| 553 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | +| 554 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | +| 555 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | +| 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | +| 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | +| 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 566 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 569 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 570 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 571 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 572 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 573 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 574 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 575 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 576 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | -| 577 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 578 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 579 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 580 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 581 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 582 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 583 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 584 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 585 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 590 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 591 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | +| 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 594 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | -| 597 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | -| 598 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | -| 599 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | -| 600 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | -| 601 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | -| 602 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | -| 603 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | -| 604 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 605 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | -| 606 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | -| 607 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | -| 608 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | -| 609 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | -| 610 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | -| 611 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | -| 612 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | -| 613 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | -| 614 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | -| 615 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | -| 616 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | -| 617 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | -| 618 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | -| 619 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | -| 620 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | -| 621 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | -| 622 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | -| 623 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | -| 624 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | -| 625 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | -| 626 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | -| 627 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | -| 628 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | -| 629 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | -| 630 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 631 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | -| 632 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | -| 633 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | -| 634 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | -| 635 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | -| 636 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | -| 637 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | -| 638 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | -| 639 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | -| 640 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 641 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | -| 642 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | -| 643 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | -| 644 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 645 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | -| 646 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | -| 647 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | -| 648 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 649 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | -| 650 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 651 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | -| 652 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | -| 653 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | -| 654 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | -| 655 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | -| 656 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | -| 657 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | -| 658 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 659 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | -| 660 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | -| 661 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | -| 662 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | -| 663 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | -| 664 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | -| 665 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | -| 666 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | -| 667 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | -| 668 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | -| 669 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | -| 670 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | -| 671 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | -| 672 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | -| 673 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | -| 674 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | -| 675 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | -| 676 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | -| 677 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | -| 678 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 679 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | -| 680 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | -| 681 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | -| 682 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | -| 683 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | -| 684 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 685 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | -| 686 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | -| 687 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 688 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | +| 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | +| 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | +| 601 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | +| 602 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | +| 603 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | +| 604 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | +| 605 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | +| 606 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 607 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | +| 608 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | +| 609 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | +| 610 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | +| 611 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | +| 612 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | +| 613 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | +| 614 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | +| 615 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | +| 616 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | +| 617 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform | +| 618 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | +| 619 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | +| 620 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | +| 621 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | +| 622 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | +| 623 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform | +| 624 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | +| 625 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | +| 626 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | +| 627 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | +| 628 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | +| 629 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | +| 630 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | +| 631 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | +| 632 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 633 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | +| 634 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | +| 635 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | +| 636 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | +| 637 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | +| 638 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | +| 639 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | +| 640 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | +| 641 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | +| 642 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 643 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | +| 644 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | +| 645 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | +| 646 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 647 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | +| 648 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | +| 649 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | +| 650 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 651 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | +| 652 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 653 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | +| 654 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | +| 655 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | +| 656 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | +| 657 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | +| 658 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | +| 659 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | +| 660 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 661 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform | +| 662 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | +| 663 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | +| 664 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | +| 665 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | +| 666 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | +| 667 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | +| 668 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | +| 669 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | +| 670 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | +| 671 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | +| 672 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform | +| 673 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | +| 674 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | +| 675 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | +| 676 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | +| 677 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | +| 678 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | +| 679 | CKV_GCP_67 | resource | google_container_cluster | Ensure legacy Compute Engine instance metadata APIs are Disabled | Terraform | +| 680 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 681 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | +| 682 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | +| 683 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | +| 684 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | +| 685 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | +| 686 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | +| 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | +| 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | +| 690 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 896 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 951 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 897 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 955 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 956 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 957 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 960 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 961 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | -| 962 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | -| 963 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | -| 964 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | -| 965 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | -| 966 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 967 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | -| 968 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | -| 969 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | -| 970 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | -| 971 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | -| 972 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | -| 973 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | -| 974 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | -| 975 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | -| 976 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | -| 977 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | -| 978 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | -| 979 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 980 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | -| 981 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | -| 982 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | -| 983 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | -| 984 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | -| 985 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | -| 986 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | -| 987 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | -| 988 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | -| 989 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | -| 990 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | -| 991 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | -| 992 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | -| 993 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | -| 994 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | -| 995 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | -| 996 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | -| 997 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | -| 998 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | -| 999 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | -| 1000 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | -| 1001 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | -| 1002 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | -| 1003 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | -| 1004 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | -| 1005 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | -| 1006 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | -| 1007 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | -| 1008 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | -| 1009 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1010 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | -| 1011 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | -| 1012 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | -| 1013 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | -| 1014 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | -| 1015 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | -| 1016 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | -| 1017 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | -| 1018 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | -| 1019 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | -| 1020 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | -| 1021 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | -| 1022 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | -| 1023 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | -| 1024 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | -| 1025 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | -| 1026 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | -| 1027 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | -| 1028 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | -| 1029 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | -| 1030 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | -| 1031 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | -| 1032 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | -| 1033 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | -| 1034 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | -| 1035 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | -| 1036 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | -| 1037 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | -| 1038 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | -| 1039 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1040 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | -| 1041 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | -| 1042 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | -| 1043 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1044 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1045 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | -| 1046 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | -| 1047 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | -| 1048 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | -| 1049 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1050 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | -| 1051 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | -| 1052 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | -| 1053 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | -| 1054 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | -| 1055 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | -| 1056 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | -| 1057 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | -| 1058 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | -| 1059 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | -| 1060 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | -| 1061 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1062 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1063 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1064 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1065 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1066 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1067 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1068 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | -| 1069 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | -| 1070 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1071 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | -| 1072 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1073 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | -| 1074 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1075 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | -| 1076 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1077 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1078 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | -| 1079 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1080 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1081 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1082 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1083 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1084 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1085 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1086 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | -| 1087 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1088 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | -| 1089 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1090 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1091 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1092 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1093 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1094 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1095 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1096 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | -| 1097 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | -| 1098 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1099 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | -| 1100 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | -| 1101 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | -| 1102 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | -| 1103 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1104 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | -| 1105 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1106 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | -| 1107 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1108 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | -| 1109 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | -| 1110 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | -| 1111 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | -| 1112 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | -| 1113 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1114 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | -| 1115 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | -| 1116 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | -| 1117 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | -| 1118 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | -| 1119 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | -| 1120 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | -| 1121 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | -| 1122 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | -| 1123 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | -| 1124 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | -| 1125 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | -| 1126 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | -| 1127 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1128 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | -| 1129 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | -| 1130 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | -| 1131 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | -| 1132 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | -| 1133 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | -| 1134 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | -| 1135 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | -| 1136 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1137 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | -| 1138 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | -| 1139 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1140 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | -| 1141 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1142 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | -| 1143 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | -| 1144 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | -| 1145 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1146 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1147 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | -| 1148 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | -| 1149 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | -| 1150 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | -| 1151 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | -| 1152 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | -| 1153 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | -| 1154 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | -| 1155 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | -| 1156 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | -| 1157 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | -| 1158 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | -| 1159 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | -| 1160 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | -| 1161 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | -| 1162 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | -| 1163 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | -| 1164 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | -| 1165 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | -| 1166 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | -| 1167 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | -| 1168 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | -| 1169 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | -| 1170 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | -| 1171 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | -| 1172 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | -| 1173 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | -| 1174 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | -| 1175 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | -| 1176 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | -| 1177 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | -| 1178 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | -| 1179 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | -| 1180 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | -| 1181 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | -| 1182 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | -| 1183 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | -| 1184 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | -| 1185 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | -| 1186 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | +| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | +| 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | +| 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | +| 966 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | +| 967 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | +| 968 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 969 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | +| 970 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | +| 971 | CKV_K8S_8 | resource | containers | Liveness Probe Should be Configured | Kubernetes | +| 972 | CKV_K8S_9 | resource | containers | Readiness Probe Should be Configured | Kubernetes | +| 973 | CKV_K8S_10 | resource | containers | CPU requests should be set | Kubernetes | +| 974 | CKV_K8S_10 | resource | initContainers | CPU requests should be set | Kubernetes | +| 975 | CKV_K8S_11 | resource | containers | CPU limits should be set | Kubernetes | +| 976 | CKV_K8S_11 | resource | initContainers | CPU limits should be set | Kubernetes | +| 977 | CKV_K8S_12 | resource | containers | Memory requests should be set | Kubernetes | +| 978 | CKV_K8S_12 | resource | initContainers | Memory requests should be set | Kubernetes | +| 979 | CKV_K8S_13 | resource | containers | Memory limits should be set | Kubernetes | +| 980 | CKV_K8S_13 | resource | initContainers | Memory limits should be set | Kubernetes | +| 981 | CKV_K8S_14 | resource | containers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 982 | CKV_K8S_14 | resource | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes | +| 983 | CKV_K8S_15 | resource | containers | Image Pull Policy should be Always | Kubernetes | +| 984 | CKV_K8S_15 | resource | initContainers | Image Pull Policy should be Always | Kubernetes | +| 985 | CKV_K8S_16 | resource | containers | Container should not be privileged | Kubernetes | +| 986 | CKV_K8S_16 | resource | initContainers | Container should not be privileged | Kubernetes | +| 987 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | +| 988 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | +| 989 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | +| 990 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | +| 991 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | +| 992 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | +| 993 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | +| 994 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | +| 995 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | +| 996 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | +| 997 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | +| 998 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | +| 999 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | +| 1000 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | +| 1001 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | +| 1002 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | +| 1003 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | +| 1004 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | +| 1005 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | +| 1006 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | +| 1007 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | +| 1008 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | +| 1009 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | +| 1010 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | +| 1011 | CKV_K8S_20 | resource | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1012 | CKV_K8S_20 | resource | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes | +| 1013 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | +| 1014 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | +| 1015 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | +| 1016 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | +| 1017 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | +| 1018 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | +| 1019 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | +| 1020 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | +| 1021 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | +| 1022 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | +| 1023 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | +| 1024 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | +| 1025 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | +| 1026 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | +| 1027 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | +| 1028 | CKV_K8S_22 | resource | containers | Use read-only filesystem for containers where possible | Kubernetes | +| 1029 | CKV_K8S_22 | resource | initContainers | Use read-only filesystem for containers where possible | Kubernetes | +| 1030 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | +| 1031 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | +| 1032 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | +| 1033 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | +| 1034 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | +| 1035 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | +| 1036 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | +| 1037 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | +| 1038 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | +| 1039 | CKV_K8S_25 | resource | containers | Minimize the admission of containers with added capability | Kubernetes | +| 1040 | CKV_K8S_25 | resource | initContainers | Minimize the admission of containers with added capability | Kubernetes | +| 1041 | CKV_K8S_26 | resource | containers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1042 | CKV_K8S_26 | resource | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes | +| 1043 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | +| 1044 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | +| 1045 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1046 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1047 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | +| 1048 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | +| 1049 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | +| 1050 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | +| 1051 | CKV_K8S_28 | resource | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1052 | CKV_K8S_28 | resource | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes | +| 1053 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | +| 1054 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | +| 1055 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | +| 1056 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | +| 1057 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | +| 1058 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | +| 1059 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | +| 1060 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | +| 1061 | CKV_K8S_30 | resource | containers | Apply security context to your pods and containers | Kubernetes | +| 1062 | CKV_K8S_30 | resource | initContainers | Apply security context to your pods and containers | Kubernetes | +| 1063 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1064 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1065 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1066 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1067 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1068 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1069 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1070 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | +| 1071 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | +| 1072 | CKV_K8S_33 | resource | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1073 | CKV_K8S_33 | resource | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes | +| 1074 | CKV_K8S_34 | resource | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1075 | CKV_K8S_34 | resource | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | +| 1076 | CKV_K8S_35 | resource | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1077 | CKV_K8S_35 | resource | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes | +| 1078 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1079 | CKV_K8S_37 | resource | containers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1080 | CKV_K8S_37 | resource | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes | +| 1081 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1082 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1083 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1084 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1085 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1086 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1087 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1088 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | +| 1089 | CKV_K8S_39 | resource | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1090 | CKV_K8S_39 | resource | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | +| 1091 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1092 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1093 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1094 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1095 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1096 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1097 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1098 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | +| 1099 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | +| 1100 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1101 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | +| 1102 | CKV_K8S_43 | resource | containers | Image should use digest | Kubernetes | +| 1103 | CKV_K8S_43 | resource | initContainers | Image should use digest | Kubernetes | +| 1104 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | +| 1105 | CKV_K8S_45 | resource | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1106 | CKV_K8S_45 | resource | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | +| 1107 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1108 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | +| 1109 | CKV_K8S_68 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1110 | CKV_K8S_69 | resource | containers | Ensure that the --basic-auth-file argument is not set | Kubernetes | +| 1111 | CKV_K8S_70 | resource | containers | Ensure that the --token-auth-file argument is not set | Kubernetes | +| 1112 | CKV_K8S_71 | resource | containers | Ensure that the --kubelet-https argument is set to true | Kubernetes | +| 1113 | CKV_K8S_72 | resource | containers | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | +| 1114 | CKV_K8S_73 | resource | containers | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | +| 1115 | CKV_K8S_74 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1116 | CKV_K8S_75 | resource | containers | Ensure that the --authorization-mode argument includes Node | Kubernetes | +| 1117 | CKV_K8S_77 | resource | containers | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | +| 1118 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | +| 1119 | CKV_K8S_79 | resource | containers | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | +| 1120 | CKV_K8S_80 | resource | containers | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | +| 1121 | CKV_K8S_81 | resource | containers | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | +| 1122 | CKV_K8S_82 | resource | containers | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | +| 1123 | CKV_K8S_83 | resource | containers | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | +| 1124 | CKV_K8S_84 | resource | containers | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | +| 1125 | CKV_K8S_85 | resource | containers | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | +| 1126 | CKV_K8S_86 | resource | containers | Ensure that the --insecure-bind-address argument is not set | Kubernetes | +| 1127 | CKV_K8S_88 | resource | containers | Ensure that the --insecure-port argument is set to 0 | Kubernetes | +| 1128 | CKV_K8S_89 | resource | containers | Ensure that the --secure-port argument is not set to 0 | Kubernetes | +| 1129 | CKV_K8S_90 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1130 | CKV_K8S_91 | resource | containers | Ensure that the --audit-log-path argument is set | Kubernetes | +| 1131 | CKV_K8S_92 | resource | containers | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | +| 1132 | CKV_K8S_93 | resource | containers | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | +| 1133 | CKV_K8S_94 | resource | containers | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | +| 1134 | CKV_K8S_95 | resource | containers | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | +| 1135 | CKV_K8S_96 | resource | containers | Ensure that the --service-account-lookup argument is set to true | Kubernetes | +| 1136 | CKV_K8S_97 | resource | containers | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | +| 1137 | CKV_K8S_99 | resource | containers | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | +| 1138 | CKV_K8S_100 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1139 | CKV_K8S_102 | resource | containers | Ensure that the --etcd-ca-file argument is set as appropriate | Kubernetes | +| 1140 | CKV_K8S_104 | resource | containers | Ensure that encryption providers are appropriately configured | Kubernetes | +| 1141 | CKV_K8S_105 | resource | containers | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1142 | CKV_K8S_106 | resource | containers | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | +| 1143 | CKV_K8S_107 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1144 | CKV_K8S_108 | resource | containers | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | +| 1145 | CKV_K8S_110 | resource | containers | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | +| 1146 | CKV_K8S_111 | resource | containers | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | +| 1147 | CKV_K8S_112 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1148 | CKV_K8S_113 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1149 | CKV_K8S_114 | resource | containers | Ensure that the --profiling argument is set to false | Kubernetes | +| 1150 | CKV_K8S_115 | resource | containers | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | +| 1151 | CKV_K8S_116 | resource | containers | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | +| 1152 | CKV_K8S_117 | resource | containers | Ensure that the --client-cert-auth argument is set to true | Kubernetes | +| 1153 | CKV_K8S_118 | resource | containers | Ensure that the --auto-tls argument is not set to true | Kubernetes | +| 1154 | CKV_K8S_119 | resource | containers | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | +| 1155 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | +| 1156 | CKV_K8S_138 | resource | containers | Ensure that the --anonymous-auth argument is set to false | Kubernetes | +| 1157 | CKV_K8S_139 | resource | containers | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | +| 1158 | CKV_K8S_140 | resource | containers | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | +| 1159 | CKV_K8S_141 | resource | containers | Ensure that the --read-only-port argument is set to 0 | Kubernetes | +| 1160 | CKV_K8S_143 | resource | containers | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | +| 1161 | CKV_K8S_144 | resource | containers | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | +| 1162 | CKV_K8S_145 | resource | containers | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | +| 1163 | CKV_K8S_146 | resource | containers | Ensure that the --hostname-override argument is not set | Kubernetes | +| 1164 | CKV_K8S_147 | resource | containers | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | +| 1165 | CKV_K8S_148 | resource | containers | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | +| 1166 | CKV_K8S_149 | resource | containers | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | +| 1167 | CKV_K8S_150 | resource | containers | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | +| 1168 | CKV_K8S_151 | resource | containers | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | +| 1169 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | +| 1170 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | +| 1171 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | +| 1172 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | +| 1173 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | +| 1174 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | +| 1175 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | +| 1176 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | +| 1177 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | +| 1178 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | +| 1179 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | +| 1180 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | +| 1181 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | +| 1182 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | +| 1183 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | +| 1184 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | +| 1185 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | +| 1186 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | +| 1187 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | +| 1188 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | --- From bcc75cb7ef1c8810e158e194c6355c157ceb7b4a Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 046/203] Fix build flow --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 7edeba68023d3d8c185e9148b0c903e41fe06118 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 9 Aug 2021 19:11:57 +0300 Subject: [PATCH 047/203] Fix build flow --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index b0ae603b82..f0d641fc0c 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.341' +version = '2.0.342' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 8eb6954394..5d4f544a94 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.341 +checkov==2.0.342 From d9b01669016d9ac1cb5b4741c375b6b5ee7bb782 Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 048/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- Pipfile.lock | 37 ++++++------------------------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 20d74fb8fe..0ba6bf46d4 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -104,11 +104,11 @@ }, "configargparse": { "hashes": [ - "sha256:371f46577e76ec71a183b88378f36dd09f4b946f60fe60712f411b020f26b812", - "sha256:ebef7b5379600fa34c276debf36e72ac8b37e7e42e6f0cfaed49c61e206eb604" + "sha256:c39540eb4843883d526beeed912dc80c92481b0c13c9787c91e614a624de3666", + "sha256:f75b235a13dba6692ee9e019470e7bce41861d09606c39c41facb347c24ca3cf" ], "index": "pypi", - "version": "==1.5.1" + "version": "==1.5.2" }, "contextlib2": { "hashes": [ @@ -453,11 +453,11 @@ }, "websocket-client": { "hashes": [ - "sha256:b68e4959d704768fa20e35c9d508c8dc2bbc041fd8d267c0d7345cffe2824568", - "sha256:e5c333bfa9fa739538b652b6f8c8fc2559f1d364243c8a689d7c0e1d41c2e611" + "sha256:4cf754af7e3b3ba76589d49f9e09fd9a6c0aae9b799a89124d656009c01a261d", + "sha256:8d07f155f8ed14ae3ced97bd7582b08f280bb1bfd27945f023ba2aceff05ab52" ], "markers": "python_version >= '3.6'", - "version": "==1.1.0" + "version": "==1.1.1" }, "zipp": { "hashes": [ @@ -567,14 +567,6 @@ "index": "pypi", "version": "==3.1.18" }, - "importlib-metadata": { - "hashes": [ - "sha256:0645585859e9a6689c523927a5032f2ba5919f1f7d0e84bd4533312320de1ff9", - "sha256:51c6635429c77cf1ae634c997ff9e53ca3438b495f10a55ba28594dd69764a8b" - ], - "index": "pypi", - "version": "==4.6.3" - }, "iniconfig": { "hashes": [ "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3", @@ -732,15 +724,6 @@ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.10.2" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "index": "pypi", - "version": "==3.10.0.0" - }, "urllib3-mock": { "hashes": [ "sha256:702c90042920d771c9902b7b5b542551cc57f259078f4eada47ab4e8cdd11f1a", @@ -748,14 +731,6 @@ ], "index": "pypi", "version": "==0.3.3" - }, - "zipp": { - "hashes": [ - "sha256:957cfda87797e389580cb8b9e3870841ca991e2125350677b2ca83a0e99390a3", - "sha256:f5812b1e007e48cff63449a5e9f4e7ebea716b4111f9c4f9a645f91d579bf0c4" - ], - "markers": "python_version >= '3.6'", - "version": "==3.5.0" } } } From ce5d18b46135e3ddde863cb75b53000a6127c635 Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 049/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- docs/5.Policy Index/terraform.md | 628 +++++++++++++++---------------- 1 file changed, 314 insertions(+), 314 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 507051f779..447fbf8478 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -207,13 +207,13 @@ nav_order: 1 | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -221,22 +221,22 @@ nav_order: 1 | 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | @@ -388,45 +388,45 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From 3dd05330121c39d3eec6e00940f4fa6d5c35caac Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 050/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From e638847a2470626191bf87bce5ed49517b42e5af Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 051/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- docs/5.Policy Index/all.md | 598 ++++++++++++++++++------------------- 1 file changed, 299 insertions(+), 299 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 012aeaa257..221fe7d576 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -333,8 +333,8 @@ nav_order: 1 | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | @@ -349,20 +349,20 @@ nav_order: 1 | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -569,29 +569,29 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | @@ -600,12 +600,12 @@ nav_order: 1 | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,277 +698,277 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 690 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 5fe4b10c4249cf84fb5c5110034ffab5e15a8733 Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 052/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 6130361ad04c8b03c37d6b134143a28a8d5c5b65 Mon Sep 17 00:00:00 2001 From: Barak Schoster Goihman Date: Tue, 10 Aug 2021 10:03:57 +0300 Subject: [PATCH 053/203] update pipenv packages (#1484) Co-authored-by: GitHub Action --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index f0d641fc0c..7ff5e41b26 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.342' +version = '2.0.343' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 5d4f544a94..38f5b2fe93 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.342 +checkov==2.0.343 From 7321a969b1354b773dec1482bcd79b797b03c5e1 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Tue, 10 Aug 2021 10:00:37 +0100 Subject: [PATCH 054/203] review changes --- .../checks/resource/aws/CodeBuildProjectEncryption.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py index 315bffc5de..995a495277 100644 --- a/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py +++ b/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py @@ -17,9 +17,11 @@ def scan_resource_conf(self, conf): artifact = conf['artifacts'][0] if isinstance(artifact, dict): if artifact['type'] == ["NO_ARTIFACTS"]: + self.evaluated_keys = 'artifacts/[0]/type' return CheckResult.UNKNOWN - if 'encryption_disabled' in artifact: + if 'encryption_disabled' in artifact: if artifact['encryption_disabled'] == [True]: + self.evaluated_keys = 'artifacts/[0]/encryption_disabled' return CheckResult.FAILED return CheckResult.PASSED From 194e1d5ae9774ac82e7dfb0639dcc000f54af75e Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 055/203] check if resource is dictionary (#1485) --- checkov/arm/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/arm/runner.py b/checkov/arm/runner.py index 05b1de9004..9634aed481 100644 --- a/checkov/arm/runner.py +++ b/checkov/arm/runner.py @@ -69,7 +69,7 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R # Split out nested resources from base resource for resource in definitions[arm_file]['resources']: - if "parent_name" in resource.keys(): + if isinstance(resource, dict) and "parent_name" in resource.keys(): continue nested_resources = [] nested_resources = arm_context_parser.search_deep_keys("resources", resource, []) From f31ec7a6c5870e6be4837899d7ef8cbd867712e5 Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 056/203] check if resource is dictionary (#1485) --- docs/5.Policy Index/terraform.md | 604 +++++++++++++++---------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 447fbf8478..c7ce2c5773 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -205,24 +205,24 @@ nav_order: 1 | 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | @@ -230,8 +230,8 @@ nav_order: 1 | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -388,29 +388,29 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | @@ -418,15 +418,15 @@ nav_order: 1 | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 627 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From d25882c90c5fde2bc9d8f60544b0e62ea6274fcb Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 057/203] check if resource is dictionary (#1485) --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 9da63d5d6b125eca3d03d3548872f554f6ea0d43 Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 058/203] check if resource is dictionary (#1485) --- docs/5.Policy Index/all.md | 578 ++++++++++++++++++------------------- 1 file changed, 289 insertions(+), 289 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 221fe7d576..218990ad80 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,17 +329,17 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -351,8 +351,8 @@ nav_order: 1 | 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -361,11 +361,11 @@ nav_order: 1 | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -593,16 +593,16 @@ nav_order: 1 | 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 4d6d0218d949a49eba0590822d04010b70b861e3 Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 059/203] check if resource is dictionary (#1485) --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 453662aa990d2cadf9ff201d82c91c34b01c718b Mon Sep 17 00:00:00 2001 From: naorda Date: Tue, 10 Aug 2021 12:18:31 +0300 Subject: [PATCH 060/203] check if resource is dictionary (#1485) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 7ff5e41b26..d21e781dfb 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.343' +version = '2.0.344' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 38f5b2fe93..61ebc2388f 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.343 +checkov==2.0.344 From f0373995895dd2dd12fe054d6da851f6e7af6842 Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 061/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- checkov/kubernetes/runner.py | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/checkov/kubernetes/runner.py b/checkov/kubernetes/runner.py index 3ba7a1b8de..51334e18c2 100644 --- a/checkov/kubernetes/runner.py +++ b/checkov/kubernetes/runner.py @@ -77,25 +77,27 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] + if entity_conf is None: + continue # Split out resources if entity kind is List - if entity_conf["kind"] == "List": + if isinstance(entity_conf, dict) and entity_conf["kind"] == "List": for item in entity_conf.get("items", []): definitions[k8_file].append(item) for i in range(len(definitions[k8_file])): - if (not 'apiVersion' in definitions[k8_file][i].keys()) and (not 'kind' in definitions[k8_file][i].keys()): + if _is_invalid_k8_definition(definitions[k8_file][i]): continue logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] - if entity_conf["kind"] == "List": + if isinstance(entity_conf, dict) and entity_conf.get("kind") == "List": continue # Skip entity without metadata["name"] - if entity_conf.get("metadata"): - if isinstance(entity_conf["metadata"], int) or not "name" in entity_conf["metadata"]: + if isinstance(entity_conf, dict) and entity_conf.get("metadata"): + if isinstance(entity_conf["metadata"], int) or "name" not in entity_conf["metadata"]: continue else: continue @@ -135,16 +137,17 @@ def run(self, root_folder, external_checks_dir=None, files=None, runner_filter=R # Run for each definition included added container definitions for i in range(len(definitions[k8_file])): - if (not 'apiVersion' in definitions[k8_file][i].keys()) and (not 'kind' in definitions[k8_file][i].keys()): + if _is_invalid_k8_definition(definitions[k8_file][i]): continue logging.debug("Template Dump for {}: {}".format(k8_file, definitions[k8_file][i], indent=2)) entity_conf = definitions[k8_file][i] - - if entity_conf["kind"] == "List" or not entity_conf.get("kind"): + if entity_conf is None: + continue + if isinstance(entity_conf, dict) and (entity_conf["kind"] == "List" or not entity_conf.get("kind")): continue - if isinstance(entity_conf["kind"], int): + if isinstance(entity_conf, dict) and isinstance(entity_conf.get("kind"), int): continue # Skip entity without metadata["name"] or parent_metadata["name"] if not any(x in entity_conf["kind"] for x in ["containers", "initContainers"]): @@ -288,3 +291,6 @@ def find_lines(node, kv): yield x +def _is_invalid_k8_definition(definition: dict) -> bool: + return isinstance(definition, dict) and 'apiVersion' not in definition.keys() and 'kind' not in \ + definition.keys() From d11474dc15512fa81850e346e37ddda5c26e866b Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 062/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- docs/5.Policy Index/terraform.md | 600 +++++++++++++++---------------- 1 file changed, 300 insertions(+), 300 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index c7ce2c5773..f2c35d04a2 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,35 +201,35 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | @@ -390,23 +390,23 @@ nav_order: 1 | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 609 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 753 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From d350e4cb691981e303a1ae643aa3f36eae19a091 Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 063/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 523bb8e083e6ee317aeb86ca6dd2026de6df7a37 Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 064/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- docs/5.Policy Index/all.md | 608 ++++++++++++++++++------------------- 1 file changed, 304 insertions(+), 304 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 218990ad80..18fbdd5bcf 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,8 +327,8 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | @@ -344,28 +344,28 @@ nav_order: 1 | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | | 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -567,19 +567,19 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | @@ -588,24 +588,24 @@ nav_order: 1 | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 5af753105e6a8496d973e6f560c24ab77b9cbce1 Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 065/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 442f26b9f4d610bd998939e47fbc56acc22e0b22 Mon Sep 17 00:00:00 2001 From: naorda Date: Thu, 12 Aug 2021 11:21:18 +0300 Subject: [PATCH 066/203] K8 None/empty assertion (#1490) * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * handle None/empty data given to the K8 runner * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor * Update checkov/kubernetes/runner.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index d21e781dfb..a5511742e2 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.344' +version = '2.0.345' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 61ebc2388f..53c697f787 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.344 +checkov==2.0.345 From d812d1fccb8557b20e254a9a49564ecc81deeec3 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 067/203] update gpg key --- .github/workflows/build.yml | 12 ++++++++++++ .github/workflows/pipenv-update.yml | 6 ++++++ docs/5.Policy Index/secrets.md | 25 +++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 docs/5.Policy Index/secrets.md diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b8661461a1..ac2df3eb62 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,6 +52,12 @@ jobs: runs-on: [self-hosted, public, linux, x64] steps: - uses: actions/checkout@v2 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - name: Set up Python 3.7 uses: actions/setup-python@v2 with: @@ -137,6 +143,12 @@ jobs: runs-on: [self-hosted, public, linux, x64] steps: - uses: actions/checkout@v2 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - name: Set up Python 3.7 uses: actions/setup-python@v2 with: diff --git a/.github/workflows/pipenv-update.yml b/.github/workflows/pipenv-update.yml index 75556aae19..52146959d6 100644 --- a/.github/workflows/pipenv-update.yml +++ b/.github/workflows/pipenv-update.yml @@ -11,6 +11,12 @@ jobs: - uses: actions/checkout@v2 with: ref: ${{ github.head_ref }} + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v3 + with: + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} - uses: actions/setup-python@v2 with: python-version: 3.7 diff --git a/docs/5.Policy Index/secrets.md b/docs/5.Policy Index/secrets.md new file mode 100644 index 0000000000..bd3cdcd5e8 --- /dev/null +++ b/docs/5.Policy Index/secrets.md @@ -0,0 +1,25 @@ +| | | Id | Type | Entity | Policy | IaC | +|----|---------------|----------------------------------|---------|----------------------------------|----------------------------------|---------| +| 0 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | secrets | +| 1 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | AWS Access Key | secrets | +| 2 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | Azure Storage Account access key | secrets | +| 3 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | Basic Auth Credentials | secrets | +| 4 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | Cloudant Credentials | secrets | +| 5 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | Base64 High Entropy String | secrets | +| 6 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | IBM Cloud IAM Key | secrets | +| 7 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | IBM COS HMAC Credentials | secrets | +| 8 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | JSON Web Token | secrets | +| 9 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | Mailchimp Access Key | secrets | +| 10 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | NPM tokens | secrets | +| 11 | CKV_SECRET_13 | Private Key | secrets | Private Key | Private Key | secrets | +| 12 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | Slack Token | secrets | +| 13 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | SoftLayer Credentials | secrets | +| 14 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | Square OAuth Secret | secrets | +| 15 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | Stripe Access Key | secrets | +| 16 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | Twilio API Key | secrets | +| 17 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | Hex High Entropy String | secrets | + + +--- + + From b8933a6cfb42b610aee4c0992c89fc0d58596e10 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 068/203] update gpg key --- docs/5.Policy Index/terraform.md | 596 +++++++++++++++---------------- 1 file changed, 298 insertions(+), 298 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index f2c35d04a2..f68ee823f4 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -203,17 +203,17 @@ nav_order: 1 | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -221,10 +221,10 @@ nav_order: 1 | 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | @@ -235,8 +235,8 @@ nav_order: 1 | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | @@ -399,20 +399,20 @@ nav_order: 1 | 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | @@ -422,11 +422,11 @@ nav_order: 1 | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 503 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 750ae48acdc4e1eb8b7178526e4bba6ee24edf77 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 069/203] update gpg key --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From afc86456cdabda47fdf0d3e60b2c9b8475fef142 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 070/203] update gpg key --- docs/5.Policy Index/secrets.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/5.Policy Index/secrets.md b/docs/5.Policy Index/secrets.md index bd3cdcd5e8..cc3c5d8bd5 100644 --- a/docs/5.Policy Index/secrets.md +++ b/docs/5.Policy Index/secrets.md @@ -1,3 +1,11 @@ +--- +layout: default +title: secrets resource scans +nav_order: 1 +--- + +# secrets resource scans (auto generated) + | | | Id | Type | Entity | Policy | IaC | |----|---------------|----------------------------------|---------|----------------------------------|----------------------------------|---------| | 0 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | Artifactory Credentials | secrets | From c40a1dd4e4c3b7273cffe18b12dc0f093cddf51d Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 071/203] update gpg key --- docs/5.Policy Index/all.md | 612 ++++++++++++++++++------------------- 1 file changed, 306 insertions(+), 306 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 18fbdd5bcf..bb8a7c7def 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -333,36 +333,36 @@ nav_order: 1 | 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -569,43 +569,43 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 690 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 869bfe4c241860aaaf4ba74cd58929e338c9d2c0 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 072/203] update gpg key --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From fdc39c9970ec1348430f4b6f6ee52f4f5df8f797 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 073/203] update gpg key --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index a5511742e2..10759659c0 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.345' +version = '2.0.346' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 53c697f787..7ac8db7a62 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.345 +checkov==2.0.346 From 90ac2c0d83cb5caba358215ce8ac6ccf13668903 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 074/203] update gpg key --- docs/5.Policy Index/terraform.md | 570 +++++++++++++++---------------- 1 file changed, 285 insertions(+), 285 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index f68ee823f4..2885fb8b31 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -203,17 +203,17 @@ nav_order: 1 | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -223,15 +223,15 @@ nav_order: 1 | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -402,17 +402,17 @@ nav_order: 1 | 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | @@ -421,12 +421,12 @@ nav_order: 1 | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 646 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 731 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 732 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From a5fec4a334158c722e1b8b2762ac2022f3f63263 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 075/203] update gpg key --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From f78a54152fd3ec14a5ea1ddc9398d342ba930eb3 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 076/203] update gpg key --- docs/5.Policy Index/all.md | 604 ++++++++++++++++++------------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index bb8a7c7def..be74c49271 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -333,8 +333,8 @@ nav_order: 1 | 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | @@ -344,25 +344,25 @@ nav_order: 1 | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -567,45 +567,45 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,272 +698,272 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 829 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | From 5c3fccf31a3c004f6ef9c12bf3ac335662555bfb Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 077/203] update gpg key --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 090e821584e670bfcbe36f7648716de1852b0282 Mon Sep 17 00:00:00 2001 From: barak Date: Thu, 12 Aug 2021 15:04:20 +0300 Subject: [PATCH 078/203] update gpg key --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 10759659c0..b13106fc2c 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.346' +version = '2.0.347' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 7ac8db7a62..a7e6277660 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.346 +checkov==2.0.347 From 313cc8587d92651060c20bbdf1592d8d2d6f747e Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Thu, 12 Aug 2021 09:51:59 -0500 Subject: [PATCH 079/203] understand platform suppressions with bcorg_ prefix (#1489) * understand platform suppressions with bcorg_ prefix * remove accidental blank line * Update checkov/common/bridgecrew/integration_features/features/suppressions_integration.py Co-authored-by: Nimrod Kor Co-authored-by: Nimrod Kor --- .../features/suppressions_integration.py | 10 ++- .../test_suppressions_integration.py | 90 +++++++++++++++++++ 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py index 10e6958609..62d6f337a2 100644 --- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py @@ -85,10 +85,10 @@ def _check_suppression(self, record, suppression): elif type == 'Accounts': # This should be true, because we validated when we downloaded the policies. # But checking here adds some resiliency against bugs if that changes. - return self.bc_integration.repo_id in suppression['accountIds'] + return any(self._repo_matches(account) for account in suppression['accountIds']) elif type == 'Resources': for resource in suppression['resources']: - if resource['accountId'] == self.bc_integration.repo_id and resource['resourceId'] == f'{record.repo_file_path}:{record.resource}': + if self._repo_matches(resource['accountId']) and resource['resourceId'] == f'{record.repo_file_path}:{record.resource}': return True return False elif type == 'Tags': @@ -138,10 +138,14 @@ def _suppression_valid_for_run(self, suppression): return False if suppression['suppressionType'] == 'Accounts': - if self.bc_integration.repo_id not in suppression['accountIds']: + if not any(self._repo_matches(account) for account in suppression['accountIds']): return False return True + def _repo_matches(self, repo_name): + # matches xyz_org/repo or org/repo (where xyz is the BC org name and the CLI repo prefix from the platform) + return re.match(f'^(\\w+_)?{self.bc_integration.repo_id}$', repo_name) is not None + integration = SuppressionsIntegration(bc_integration) diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py index 5ca95acd90..928fa9222b 100644 --- a/tests/common/integration_features/test_suppressions_integration.py +++ b/tests/common/integration_features/test_suppressions_integration.py @@ -73,6 +73,18 @@ def test_suppression_valid(self): self.assertTrue(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_1", + "creationDate": 1608816140086, + "comment": "No justification comment provided.", + "accountIds": [ + "bcorg_org/repo" + ] + } + + self.assertTrue(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { "suppressionType": "Resources", "policyId": "BC_AWS_1", @@ -122,6 +134,18 @@ def test_suppression_valid(self): self.assertFalse(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_1", + "creationDate": 1608816140086, + "comment": "No justification comment provided.", + "accountIds": [ + "bcorg_other/repo" + ] + } + + self.assertFalse(suppressions_integration._suppression_valid_for_run(suppression)) + suppression = { "suppressionType": "Tags", "policyId": "NOT_A_POLICY", @@ -206,6 +230,32 @@ def test_account_suppression(self): self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_account_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppression = { + "suppressionType": "Accounts", + "policyId": "BC_AWS_S3_13", + "comment": "testing checkov", + "accountIds": ["bcorg_org/repo", "bcorg_not/valid"], + "checkovPolicyId": "CKV_AWS_18", + } + + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_resource_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' @@ -246,6 +296,46 @@ def test_resource_suppression(self): self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) + def test_resource_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppression = { + "suppressionType": "Resources", + "policyId": "BC_AWS_S3_13", + "comment": "No justification comment provided.", + "resources": [ + { + "accountId": "bcorg_org/repo", + "resourceId": "/terraform/aws/s3.tf:aws_s3_bucket.operations", + } + ], + "checkovPolicyId": "CKV_AWS_18", + } + + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.operations', evaluations=None, + check_class=None, file_abs_path=',.', entity_tags=None) + record1.repo_file_path = '/terraform/aws/s3.tf' + record2 = Record(check_id='CKV_AWS_13', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.no', evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2.repo_file_path = '/terraform/aws/s3.tf' + record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource='aws_s3_bucket.operations', evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3.repo_file_path = '/terraform/aws/s3.tf' + + self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) + def test_tag_suppression(self): instance = BcPlatformIntegration() suppressions_integration = SuppressionsIntegration(instance) From 91a0aa40e8021e51c1b356caeea1fbce402efe46 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Thu, 12 Aug 2021 17:52:14 +0300 Subject: [PATCH 080/203] Add evaluated keys impl. to CFN base_resource_value_check.py --- .../checks/resource/base_resource_value_check.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/checkov/cloudformation/checks/resource/base_resource_value_check.py b/checkov/cloudformation/checks/resource/base_resource_value_check.py index 97ebec5228..d1b41166f7 100644 --- a/checkov/cloudformation/checks/resource/base_resource_value_check.py +++ b/checkov/cloudformation/checks/resource/base_resource_value_check.py @@ -8,6 +8,7 @@ from checkov.cloudformation.parser.node import str_node from checkov.common.models.consts import ANY_VALUE from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.common.util.type_forcers import force_list VARIABLE_DEPENDANT_REGEX = r"(?:Ref)\.[^\s]+" @@ -100,3 +101,6 @@ def get_expected_value(self) -> Any: Returns the default expected value, governed by provider best practices """ return True + + def get_evaluated_keys(self) -> List[str]: + return force_list(self.get_inspected_key()) From e228fd97b81fe5c5ae91e6cfaf7a8a6e83603b45 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 12 Aug 2021 17:54:07 +0300 Subject: [PATCH 081/203] Merge pull request #1479 from bridgecrewio/fix/codebuildproject fix false positive on codebuild project encryption for #1458 --- docs/5.Policy Index/terraform.md | 592 +++++++++++++++---------------- 1 file changed, 296 insertions(+), 296 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 2885fb8b31..e524701e28 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -203,26 +203,26 @@ nav_order: 1 | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | @@ -238,8 +238,8 @@ nav_order: 1 | 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,45 +388,45 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,272 +511,272 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 754 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | From 6dc730046e6ddcebaa39f6aa93a6609cae623238 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 12 Aug 2021 17:54:07 +0300 Subject: [PATCH 082/203] Merge pull request #1479 from bridgecrewio/fix/codebuildproject fix false positive on codebuild project encryption for #1458 --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From bae72bd0dd80b56c7cdaf9923741932056206029 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 12 Aug 2021 17:54:07 +0300 Subject: [PATCH 083/203] Merge pull request #1479 from bridgecrewio/fix/codebuildproject fix false positive on codebuild project encryption for #1458 --- docs/5.Policy Index/all.md | 616 ++++++++++++++++++------------------- 1 file changed, 308 insertions(+), 308 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index be74c49271..a2cba53fb6 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,17 +329,17 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -349,20 +349,20 @@ nav_order: 1 | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -567,16 +567,16 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | @@ -584,28 +584,28 @@ nav_order: 1 | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 774 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 811 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 370a7e4f7d3649357aac8098bb21226d3b0d95dd Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 12 Aug 2021 17:54:07 +0300 Subject: [PATCH 084/203] Merge pull request #1479 from bridgecrewio/fix/codebuildproject fix false positive on codebuild project encryption for #1458 --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 86ecb94a3f1c377ecf52f462afddcafdcad74744 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Thu, 12 Aug 2021 17:54:07 +0300 Subject: [PATCH 085/203] Merge pull request #1479 from bridgecrewio/fix/codebuildproject fix false positive on codebuild project encryption for #1458 --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index b13106fc2c..94121e9b57 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.347' +version = '2.0.348' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index a7e6277660..2c68ce8ae2 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.347 +checkov==2.0.348 From 566aa8c8a178581f835317ecf57120a725d9c11e Mon Sep 17 00:00:00 2001 From: arielk Date: Fri, 13 Aug 2021 21:15:47 +0300 Subject: [PATCH 086/203] remove duplications from check --- .../aws/IAMRoleAllowAssumeFromAccount.py | 46 +++++++------------ 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py index cc5cb2e176..d4424bf054 100644 --- a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py +++ b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py @@ -4,6 +4,7 @@ from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories +ACCOUNT_ACCESS = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') class IAMRoleAllowAssumeFromAccount(BaseResourceCheck): def __init__(self): @@ -15,37 +16,22 @@ def __init__(self): def scan_resource_conf(self, conf): if 'AssumeRolePolicyDocument' in conf['Properties']: - if isinstance(conf['Properties']['AssumeRolePolicyDocument'], dict) and 'Fn::Sub' in conf['Properties']['AssumeRolePolicyDocument'].keys(): - assume_role_block = json.loads(conf['Properties']['AssumeRolePolicyDocument']['Fn::Sub']) - if 'Statement' in assume_role_block.keys(): - if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ - assume_role_block['Statement'][0]: - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - account_access = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'], - list) and isinstance( - assume_role_block['Statement'][0]['Principal']['AWS'][0], str): - if re.match(account_access, - assume_role_block['Statement'][0]['Principal']['AWS'][0]): - return CheckResult.FAILED + assume_role_policy_doc = conf['Properties']['AssumeRolePolicyDocument'] + if isinstance(assume_role_policy_doc, dict) and 'Fn::Sub' in assume_role_policy_doc.keys(): + assume_role_block = json.loads(assume_role_policy_doc['Fn::Sub']) + elif isinstance(assume_role_policy_doc, str): + assume_role_block = json.loads(assume_role_policy_doc) else: - if isinstance(conf['Properties']['AssumeRolePolicyDocument'], str): - assume_role_block = json.loads(conf['Properties']['AssumeRolePolicyDocument']) - else: - assume_role_block = conf['Properties']['AssumeRolePolicyDocument'] - if 'Statement' in assume_role_block.keys(): - if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ - assume_role_block['Statement'][0]: - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - account_access = re.compile(r'\d{12}|arn:aws:iam::\d{12}:root') - if 'AWS' in assume_role_block['Statement'][0]['Principal']: - if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'], - list) and isinstance( - assume_role_block['Statement'][0]['Principal']['AWS'][0], str): - if re.match(account_access, - assume_role_block['Statement'][0]['Principal']['AWS'][0]): - return CheckResult.FAILED + assume_role_block = assume_role_policy_doc + + if 'Statement' in assume_role_block.keys(): + if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ + assume_role_block['Statement'][0]: + if 'AWS' in assume_role_block['Statement'][0]['Principal']: + if isinstance(assume_role_block['Statement'][0]['Principal']['AWS'],list) \ + and isinstance(assume_role_block['Statement'][0]['Principal']['AWS'][0], str): + if re.match(ACCOUNT_ACCESS, assume_role_block['Statement'][0]['Principal']['AWS'][0]): + return CheckResult.FAILED return CheckResult.PASSED From ed743c6cc3ced8cc36f44df90aab0efdb29e7345 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 08:54:09 +0300 Subject: [PATCH 087/203] Merge pull request #1491 from bridgecrewio/add_evaluated_key_to_cfn_value Add evaluated keys impl. to CFN base_resource_value_check.py --- docs/5.Policy Index/terraform.md | 596 +++++++++++++++---------------- 1 file changed, 298 insertions(+), 298 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index e524701e28..e9b58b082e 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,32 +201,32 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -235,8 +235,8 @@ nav_order: 1 | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -390,14 +390,14 @@ nav_order: 1 | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | @@ -405,28 +405,28 @@ nav_order: 1 | 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,276 +511,276 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 715 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 753 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | From 4f1441eecef27123502503bec522b8ca9b4bfad6 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 08:54:09 +0300 Subject: [PATCH 088/203] Merge pull request #1491 from bridgecrewio/add_evaluated_key_to_cfn_value Add evaluated keys impl. to CFN base_resource_value_check.py --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 8d9b8548aeb2fde1174916760657659fa0573a76 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 08:54:09 +0300 Subject: [PATCH 089/203] Merge pull request #1491 from bridgecrewio/add_evaluated_key_to_cfn_value Add evaluated keys impl. to CFN base_resource_value_check.py --- docs/5.Policy Index/all.md | 586 ++++++++++++++++++------------------- 1 file changed, 293 insertions(+), 293 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index a2cba53fb6..7004c50a45 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,17 +329,17 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -349,13 +349,13 @@ nav_order: 1 | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | @@ -570,42 +570,42 @@ nav_order: 1 | 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,277 +698,277 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 708 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 795 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 7854347dc272add4353a84b086fbbb52431869d4 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 08:54:09 +0300 Subject: [PATCH 090/203] Merge pull request #1491 from bridgecrewio/add_evaluated_key_to_cfn_value Add evaluated keys impl. to CFN base_resource_value_check.py --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 5b5ed57a2e7bb3e59e6e8e9138374feedc6d9a47 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 08:54:09 +0300 Subject: [PATCH 091/203] Merge pull request #1491 from bridgecrewio/add_evaluated_key_to_cfn_value Add evaluated keys impl. to CFN base_resource_value_check.py --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 94121e9b57..f60855d8c4 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.348' +version = '2.0.349' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 2c68ce8ae2..485774279a 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.348 +checkov==2.0.349 From 0eb11036ad4a7e7a929ad1dbfc4da20f5d539de8 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 10:16:14 +0300 Subject: [PATCH 092/203] Merge pull request #1494 from bridgecrewio/Remove_duplications_CKV_AWS_61 remove duplications from check --- docs/5.Policy Index/terraform.md | 592 +++++++++++++++---------------- 1 file changed, 296 insertions(+), 296 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index e9b58b082e..9512ef6e5f 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,8 +201,8 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | @@ -212,8 +212,8 @@ nav_order: 1 | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -221,25 +221,25 @@ nav_order: 1 | 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -402,31 +402,31 @@ nav_order: 1 | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 682 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 683 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From 0ed4620bfc1fb689ba162bf4b4f8bc999e6f6ea9 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 10:16:14 +0300 Subject: [PATCH 093/203] Merge pull request #1494 from bridgecrewio/Remove_duplications_CKV_AWS_61 remove duplications from check --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 14ddbb7a382db37c22698da123b577a9e0645402 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 10:16:14 +0300 Subject: [PATCH 094/203] Merge pull request #1494 from bridgecrewio/Remove_duplications_CKV_AWS_61 remove duplications from check --- docs/5.Policy Index/all.md | 600 ++++++++++++++++++------------------- 1 file changed, 300 insertions(+), 300 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 7004c50a45..f1b850bbfc 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,17 +327,17 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -347,22 +347,22 @@ nav_order: 1 | 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -569,20 +569,20 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | @@ -593,12 +593,12 @@ nav_order: 1 | 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 690 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From f233f7c33f2ee81a9d8db5d2b735532d6e052316 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 10:16:14 +0300 Subject: [PATCH 095/203] Merge pull request #1494 from bridgecrewio/Remove_duplications_CKV_AWS_61 remove duplications from check --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 9a38d503d383529dce2578dbea5392cccd39ac75 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Sun, 15 Aug 2021 10:16:14 +0300 Subject: [PATCH 096/203] Merge pull request #1494 from bridgecrewio/Remove_duplications_CKV_AWS_61 remove duplications from check --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index f60855d8c4..7a107970a1 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.349' +version = '2.0.350' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 485774279a..8098571ddf 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.349 +checkov==2.0.350 From 8deb9c5ea64d28956f3a0f93c58b5a15f2d63163 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Sun, 15 Aug 2021 11:02:18 +0300 Subject: [PATCH 097/203] added cfn edges --- Pipfile | 1 + Pipfile.lock | 89 ++++++++++- .../graph_builder/local_graph.py | 147 +++++++++++++++++- checkov/cloudformation/parser/__init__.py | 7 + checkov/cloudformation/parser/cfn_keywords.py | 34 ++++ .../graph_builder/graph_components/edge.py | 9 ++ 6 files changed, 278 insertions(+), 9 deletions(-) create mode 100644 checkov/cloudformation/parser/cfn_keywords.py diff --git a/Pipfile b/Pipfile index ef3df7dbb1..baaa1935f3 100644 --- a/Pipfile +++ b/Pipfile @@ -43,6 +43,7 @@ detect_secrets = "*" policyuniverse = "*" typing-extensions = "*" importlib-metadata = ">=0.12" +cfn-lint = "==0.53.*" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index 20d74fb8fe..01c9d90246 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "8dded0accadc2382e9bf421a3643aa1a4eb0a7ced54bffdbcb0a8e0e5502f2ac" + "sha256": "f2d62b9a4a56a6781ec34b7e7d2f8a77a0cbb42813f18b8889d8facf2b6dcb93" }, "pipfile-spec": 6, "requires": { @@ -16,6 +16,22 @@ ] }, "default": { + "attrs": { + "hashes": [ + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==21.2.0" + }, + "aws-sam-translator": { + "hashes": [ + "sha256:0ecadda9cf5ab2318f57f1253181a2151e4c53cd35d21717a923c075a5a65cb6", + "sha256:dc6b816bb5cfd9709299f9b263fc0cf5ae60aca4166d1c90413ece651f1556bb", + "sha256:ee7c7c5e44ec67202622ca877140545496527ffcc45da3beeda966f007443a88" + ], + "version": "==1.38.0" + }, "bc-python-hcl2": { "hashes": [ "sha256:46f525676842d5c232752f9655f138665a1fa317b04e26efee3f82101dae204b", @@ -62,6 +78,14 @@ ], "version": "==2021.5.30" }, + "cfn-lint": { + "hashes": [ + "sha256:b7f5964842f7a44c5af9c61d64308dc4bcb718cf5de5428781d5564e9663463d", + "sha256:d17359e3ca9477eccaea700fac4bf028f5bc368a338c017adde5187f2691cab8" + ], + "index": "pypi", + "version": "==0.53.0" + }, "charset-normalizer": { "hashes": [ "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", @@ -104,11 +128,11 @@ }, "configargparse": { "hashes": [ - "sha256:371f46577e76ec71a183b88378f36dd09f4b946f60fe60712f411b020f26b812", - "sha256:ebef7b5379600fa34c276debf36e72ac8b37e7e42e6f0cfaed49c61e206eb604" + "sha256:c39540eb4843883d526beeed912dc80c92481b0c13c9787c91e614a624de3666", + "sha256:f75b235a13dba6692ee9e019470e7bce41861d09606c39c41facb347c24ca3cf" ], "index": "pypi", - "version": "==1.5.1" + "version": "==1.5.2" }, "contextlib2": { "hashes": [ @@ -205,6 +229,29 @@ "index": "pypi", "version": "==0.10.0" }, + "jsonpatch": { + "hashes": [ + "sha256:26ac385719ac9f54df8a2f0827bb8253aa3ea8ab7b3368457bcdb8c14595a397", + "sha256:b6ddfe6c3db30d81a96aaeceb6baf916094ffa23d7dd5fa2c13e13f8b6e600c2" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.32" + }, + "jsonpointer": { + "hashes": [ + "sha256:150f80c5badd02c757da6644852f612f88e8b4bc2f9852dcbf557c8738919686", + "sha256:5a34b698db1eb79ceac454159d3f7c12a451a91f6334a4f638454327b7a89962" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.1" + }, + "jsonschema": { + "hashes": [ + "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", + "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a" + ], + "version": "==3.2.0" + }, "junit-xml": { "hashes": [ "sha256:ec5ca1a55aefdd76d28fcc0b135251d156c7106fa979686a4b48d62b761b4732" @@ -306,6 +353,33 @@ "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, + "pyrsistent": { + "hashes": [ + "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", + "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", + "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", + "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", + "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", + "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", + "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", + "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", + "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", + "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", + "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", + "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", + "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", + "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", + "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", + "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", + "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", + "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", + "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", + "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", + "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + ], + "markers": "python_version >= '3.6'", + "version": "==0.18.0" + }, "python-dateutil": { "hashes": [ "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", @@ -453,11 +527,11 @@ }, "websocket-client": { "hashes": [ - "sha256:b68e4959d704768fa20e35c9d508c8dc2bbc041fd8d267c0d7345cffe2824568", - "sha256:e5c333bfa9fa739538b652b6f8c8fc2559f1d364243c8a689d7c0e1d41c2e611" + "sha256:4cf754af7e3b3ba76589d49f9e09fd9a6c0aae9b799a89124d656009c01a261d", + "sha256:8d07f155f8ed14ae3ced97bd7582b08f280bb1bfd27945f023ba2aceff05ab52" ], "markers": "python_version >= '3.6'", - "version": "==1.1.0" + "version": "==1.1.1" }, "zipp": { "hashes": [ @@ -587,7 +661,6 @@ "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163", "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a" ], - "index": "pypi", "version": "==3.2.0" }, "packaging": { diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 52e1e7020c..6568a04b5f 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -1,21 +1,44 @@ import logging from typing import Dict, Any +import dpath.util +import six +from cfnlint.template import Template + from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections, BlockType from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock +from checkov.cloudformation.parser.cfn_keywords import IntrinsicFunctions, ConditionFunctions, ResourceAttributes from checkov.cloudformation.parser.node import dict_node +from checkov.common.graph.graph_builder import Edge from checkov.common.graph.graph_builder.local_graph import LocalGraph class CloudformationLocalGraph(LocalGraph): + SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS = (ResourceAttributes.DEPENDS_ON.value, IntrinsicFunctions.CONDITION.value) + SUPPORTED_FN_CONNECTION_KEYS = (IntrinsicFunctions.GET_ATT.value, ConditionFunctions.IF.value, + IntrinsicFunctions.REF.value, IntrinsicFunctions.FIND_IN_MAP.value) + def __init__(self, cfn_definitions: Dict[str, dict_node], source: str = "CloudFormation") -> None: super().__init__() self.definitions = cfn_definitions self.source = source + self._vertices_indexes = {} + self._templates = {} + self._edges_set = set() + self._templates = {file_path: Template(file_path, definition) + for file_path, definition in self.definitions.items()} + self._connection_key_func = { + IntrinsicFunctions.GET_ATT.value: self._fetch_getatt_target_id, + ConditionFunctions.IF.value: self._fetch_if_target_id, + IntrinsicFunctions.REF.value: self._fetch_ref_target_id, + IntrinsicFunctions.FIND_IN_MAP.value: self._fetch_findinmap_target_id + } def build_graph(self, render_variables: bool) -> None: self._create_vertices() logging.info(f"[CloudformationLocalGraph] created {len(self.vertices)} vertices") + self._create_edges() + logging.info(f"[CloudformationLocalGraph] created {len(self.edges)} edges") def _create_vertices(self) -> None: @@ -43,7 +66,6 @@ def extract_resource_attributes(resource: dict_node) -> dict_node: self.vertices_by_block_type[vertex.block_type].append(i) self.vertices_block_name_map[vertex.block_type][vertex.name].append(i) - def _create_section_vertices(self, file_path: str, file_conf: dict, section: CloudformationTemplateSections, block_type: str, attributes_operator: callable = lambda a: a) -> None: for name, obj in get_only_dict_items(file_conf.get(section.value, {})).items(): @@ -62,5 +84,128 @@ def _create_section_vertices(self, file_path: str, file_conf: dict, section: Clo source=self.source )) + if not self._vertices_indexes.get(file_path): + self._vertices_indexes[file_path] = {} + self._vertices_indexes[file_path][name] = len(self.vertices) - 1 + + def _add_resource_attr_connections(self, attribute): + if attribute not in self.SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS: + return + for origin_node_index, vertex in enumerate(self.vertices): + if vertex.block_type == BlockType.RESOURCE: + vertex_path = vertex.path + vertex_name = vertex.name.split('.')[-1] + vertex_definition = dpath.get(self.definitions, + [vertex_path, CloudformationTemplateSections.RESOURCES.value, + vertex_name]) + target_ids = vertex_definition.get(attribute) + if isinstance(target_ids, (list, six.string_types)): + if isinstance(target_ids, (six.string_types)): + target_ids = [target_ids] + for target_id in target_ids: + if isinstance(target_id, six.string_types): + dest_vertex_index = self._vertices_indexes[vertex_path][target_id] + self._create_edge(origin_node_index, dest_vertex_index, label=attribute) + + def _add_fn_connections(self, key) -> None: + if key not in self.SUPPORTED_FN_CONNECTION_KEYS: + return + for file_path, template in self._templates.items(): + matching_paths = template.search_deep_keys(key) + for matching_path in matching_paths: + # matching_path = [ref_type, source_id, 'Properties', ... , key, value] + # value might be a string or a list of strings + source_id = matching_path[1] + value = matching_path[-1] + attributes = matching_path[3:-2] + + fetch_target_id_func = self._connection_key_func.get(key, None) + if fetch_target_id_func: + target_id = fetch_target_id_func(template, source_id, value) + if target_id: + origin_node_index = self._vertices_indexes[file_path][source_id] + dest_vertex_index = self._vertices_indexes[file_path][target_id] + attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int + self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) + + def _fetch_if_target_id(self, template, source_id, value) -> int: + target_id = None + # value = [condition_name, value_if_true, value_if_false] + if isinstance(value, list) and len(value) == 3 and (self._is_condition(template, value[0])): + target_id = value[0] + return target_id + + def _fetch_getatt_target_id(self, template, source_id, value) -> int: + """ might be one of the 2 following notations: + 1st: { "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] } + 2nd: { "!GetAtt" : "logicalNameOfResource.attributeName" } """ + target_id = None + + # Fn::GetAtt notation + if isinstance(value, list) and len(value) == 2 and (self._is_resource(template, value[0])): + target_id = value[0] + + # !GetAtt notation + if isinstance(value, (six.string_types, six.text_type)) and '.' in value: + if self._is_resource(template, value.split('.')[0]): + target_id = value.split('.')[0] + + return target_id + + def _fetch_ref_target_id(self, template, source_id, value) -> int: + target_id = None + # value might be a string or a list of strings + if isinstance(value, (six.text_type, six.string_types, int)) \ + and (self._is_resource(template, source_id)) \ + and ((self._is_resource(template, value)) or (self._is_parameter(template, value))): + target_id = value + return target_id + + def _fetch_findinmap_target_id(self, template, source_id, value) -> int: + target_id = None + # value = [ MapName, TopLevelKey, SecondLevelKey ] + if isinstance(value, list) and len(value) == 3 and (self._is_mapping(template, value[0])): + target_id = value[0] + return target_id + + def _create_edges(self) -> None: + self._add_resource_attr_connections(ResourceAttributes.DEPENDS_ON.value) + self._add_resource_attr_connections(IntrinsicFunctions.CONDITION.value) + self._add_fn_connections(IntrinsicFunctions.GET_ATT.value) + self._add_fn_connections(ConditionFunctions.IF.value) + self._add_fn_connections(IntrinsicFunctions.REF.value) + self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP.value) + + def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: str) -> None: + if origin_vertex_index == dest_vertex_index: + return + edge = Edge(origin_vertex_index, dest_vertex_index, label) + if edge not in self._edges_set: + self._edges_set.add(edge) + self.edges.append(edge) + self.out_edges[origin_vertex_index].append(edge) + self.in_edges[dest_vertex_index].append(edge) + + @staticmethod + def _is_parameter(template, identifier): + """Check if the identifier is that of a Parameter""" + return template.template.get(CloudformationTemplateSections.PARAMETERS, {}).get(identifier, {}) + + @staticmethod + def _is_mapping(template, identifier): + """Check if the identifier is that of a Mapping""" + return template.template.get(CloudformationTemplateSections.MAPPINGS, {}).get(identifier, {}) + + @staticmethod + def _is_condition(template, identifier): + """Check if the identifier is that of a Condition""" + return template.template.get(CloudformationTemplateSections.CONDITIONS, {}).get(identifier, {}) + + @staticmethod + def _is_resource(template, identifier): + """Check if the identifier is that of a Resource""" + return template.template.get(CloudformationTemplateSections.RESOURCES, {}).get(identifier, {}) + + def get_only_dict_items(origin_dict: Dict[str, Any]) -> Dict[str, Dict[str, Any]]: return {key: value for key, value in origin_dict.items() if isinstance(value, dict)} diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index 7b9d3af592..4ca906a193 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -4,6 +4,7 @@ from checkov.cloudformation.parser import cfn_yaml, cfn_json from checkov.cloudformation.parser.node import dict_node +from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections from yaml.parser import ScannerError from yaml import YAMLError @@ -43,4 +44,10 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple except YAMLError as err: pass + resources = template.get(CloudformationTemplateSections.RESOURCES.value) + if resources: + if '__startline__' in resources: + resources.pop('__startline__') + if '__endline__' in resources: + resources.pop('__endline__') return template, template_lines diff --git a/checkov/cloudformation/parser/cfn_keywords.py b/checkov/cloudformation/parser/cfn_keywords.py new file mode 100644 index 0000000000..d610cfcadd --- /dev/null +++ b/checkov/cloudformation/parser/cfn_keywords.py @@ -0,0 +1,34 @@ +from enum import Enum + + +class IntrinsicFunctions(str, Enum): + BASE64 = "Fn::Base64" + CIDR = "Fn::Cidr" + FIND_IN_MAP = "Fn::FindInMap" + GET_ATT = "Fn::GetAtt" + GET_AZS = "Fn::GetAZs" + IMPORT_VALUE = "Fn::ImportValue" + JOIN = "Fn::Join" + SELECT = "Fn::Select" + SPLIT = "Fn::Split" + SUB = "Fn::Sub" + TRANSFORM = "Fn::Transform" + REF = "Ref" + CONDITION = "Condition" + + +class ConditionFunctions(str, Enum): + AND = "Fn::And" + EQUALS = "Fn::Equals" + IF = "Fn::If" + NOT = "Fn::Not" + OR = "Fn::Or" + + +class ResourceAttributes(str, Enum): + CREATION_POLICY = "CreationPolicy" + DELETION_POLICY = "DeletionPolicy" + DEPENDS_ON = "DependsOn" + METADATA = "Metadata" + UPDATE_POLICY = "UpdatePolicy" + UPDATE_REPLACE_POLICY = "UpdateReplacePolicy" diff --git a/checkov/common/graph/graph_builder/graph_components/edge.py b/checkov/common/graph/graph_builder/graph_components/edge.py index f07b2e1324..650d124c63 100644 --- a/checkov/common/graph/graph_builder/graph_components/edge.py +++ b/checkov/common/graph/graph_builder/graph_components/edge.py @@ -6,3 +6,12 @@ def __init__(self, origin: int, dest: int, label: str) -> None: def __str__(self) -> str: return f"[{self.origin} -({self.label})-> {self.dest}]" + + def __eq__(self, other) -> bool: + return isinstance(other, Edge) and str(self) == str(other) + + def __ne__(self, other) -> bool: + return not self.__eq__(other) + + def __hash__(self): + return hash(str(self)) \ No newline at end of file From d0a24d92b66edfaa813b79113fcfaaa7571f6503 Mon Sep 17 00:00:00 2001 From: "Nicholas S. Castellano" Date: Sun, 15 Aug 2021 11:58:20 -0400 Subject: [PATCH 098/203] Requires junit-xml>=1.9, fixes #1495 --- Pipfile | 2 +- Pipfile.lock | 40 ++++++++++++++++++++++++++++++---------- setup.py | 2 +- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/Pipfile b/Pipfile index ef3df7dbb1..c2f19fac07 100644 --- a/Pipfile +++ b/Pipfile @@ -23,7 +23,7 @@ deep_merge = "*" tabulate = "*" colorama="*" termcolor="*" -junit-xml ="*" +junit-xml = ">=1.9" dpath = ">=1.5.0,<2" pyyaml = ">=5.4.1" boto3 = "==1.17.*" diff --git a/Pipfile.lock b/Pipfile.lock index 0ba6bf46d4..4e5d5b33a4 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "8dded0accadc2382e9bf421a3643aa1a4eb0a7ced54bffdbcb0a8e0e5502f2ac" + "sha256": "59ae28dfc33196758545ef134178198dde9a1bbf23289701f45c74a5aac9efe4" }, "pipfile-spec": 6, "requires": { @@ -183,11 +183,11 @@ }, "importlib-metadata": { "hashes": [ - "sha256:0645585859e9a6689c523927a5032f2ba5919f1f7d0e84bd4533312320de1ff9", - "sha256:51c6635429c77cf1ae634c997ff9e53ca3438b495f10a55ba28594dd69764a8b" + "sha256:7b30a78db2922d78a6f47fb30683156a14f3c6aa5cc23f77cc8967e9ab2d002f", + "sha256:ed5157fef23a4bc4594615a0dd8eba94b2bb36bf2a343fa3d8bb2fa0a62a99d5" ], "index": "pypi", - "version": "==4.6.3" + "version": "==4.6.4" }, "jinja2": { "hashes": [ @@ -233,30 +233,50 @@ "sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b", "sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567", "sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff", + "sha256:0d4b31cc67ab36e3392bbf3862cfbadac3db12bdd8b02a2731f509ed5b829724", "sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74", + "sha256:168cd0a3642de83558a5153c8bd34f175a9a6e7f6dc6384b9655d2697312a646", "sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35", + "sha256:1f2ade76b9903f39aa442b4aadd2177decb66525062db244b35d71d0ee8599b6", + "sha256:2a7d351cbd8cfeb19ca00de495e224dea7e7d919659c2841bbb7f420ad03e2d6", + "sha256:2d7d807855b419fc2ed3e631034685db6079889a1f01d5d9dac950f764da3dad", "sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26", + "sha256:36bc903cbb393720fad60fc28c10de6acf10dc6cc883f3e24ee4012371399a38", + "sha256:37205cac2a79194e3750b0af2a5720d95f786a55ce7df90c3af697bfa100eaac", "sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7", + "sha256:3dd007d54ee88b46be476e293f48c85048603f5f516008bee124ddd891398ed6", "sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75", "sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f", "sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135", "sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8", + "sha256:5855f8438a7d1d458206a2466bf82b0f104a3724bf96a1c781ab731e4201731a", "sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a", + "sha256:5bb28c636d87e840583ee3adeb78172efc47c8b26127267f54a9c0ec251d41a9", + "sha256:60bf42e36abfaf9aff1f50f52644b336d4f0a3fd6d8a60ca0d054ac9f713a864", "sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914", "sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18", "sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8", "sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2", "sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d", + "sha256:6fcf051089389abe060c9cd7caa212c707e58153afa2c649f00346ce6d260f1b", "sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b", "sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f", "sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb", "sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833", + "sha256:99df47edb6bda1249d3e80fdabb1dab8c08ef3975f69aed437cb69d0a5de1e28", "sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415", "sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902", + "sha256:add36cb2dbb8b736611303cd3bfcee00afd96471b09cda130da3581cbdc56a6d", "sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9", "sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d", + "sha256:baa1a4e8f868845af802979fcdbf0bb11f94f1cb7ced4c4b8a351bb60d108145", "sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066", + "sha256:bf5d821ffabf0ef3533c39c518f3357b171a1651c1ff6827325e4489b0e46c3c", + "sha256:c47adbc92fc1bb2b3274c4b3a43ae0e4573d9fbff4f54cd484555edbf030baf1", "sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f", + "sha256:d8446c54dc28c01e5a2dbac5a25f071f6653e6e40f3a8818e8b45d790fe6ef53", + "sha256:e0f138900af21926a02425cf736db95be9f4af72ba1bb21453432a07f6082134", + "sha256:e9936f0b261d4df76ad22f8fee3ae83b60d7c3e871292cd42f40b81b70afae85", "sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5", "sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94", "sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509", @@ -420,11 +440,11 @@ }, "tqdm": { "hashes": [ - "sha256:3642d483b558eec80d3c831e23953582c34d7e4540db86d9e5ed9dad238dabc6", - "sha256:706dea48ee05ba16e936ee91cb3791cd2ea6da348a0e50b46863ff4363ff4340" + "sha256:07856e19a1fe4d2d9621b539d3f072fa88c9c1ef1f3b7dd4d4953383134c3164", + "sha256:35540feeaca9ac40c304e916729e6b78045cbbeccd3e941b2868f09306798ac9" ], "index": "pypi", - "version": "==4.62.0" + "version": "==4.62.1" }, "typing-extensions": { "hashes": [ @@ -453,11 +473,11 @@ }, "websocket-client": { "hashes": [ - "sha256:4cf754af7e3b3ba76589d49f9e09fd9a6c0aae9b799a89124d656009c01a261d", - "sha256:8d07f155f8ed14ae3ced97bd7582b08f280bb1bfd27945f023ba2aceff05ab52" + "sha256:0133d2f784858e59959ce82ddac316634229da55b498aac311f1620567a710ec", + "sha256:8dfb715d8a992f5712fff8c843adae94e22b22a99b2c5e6b0ec4a1a981cc4e0d" ], "markers": "python_version >= '3.6'", - "version": "==1.1.1" + "version": "==1.2.1" }, "zipp": { "hashes": [ diff --git a/setup.py b/setup.py index d9f0cd62a1..991fef5940 100644 --- a/setup.py +++ b/setup.py @@ -39,7 +39,7 @@ "tabulate", "colorama", "termcolor", - "junit-xml", + "junit-xml>=1.9", "dpath>=1.5.0,<2", "pyyaml>=5.4.1", "boto3==1.17.*", From ffd7346aa72d6166408b37e665077150b9f1a891 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Sun, 15 Aug 2021 22:28:56 +0300 Subject: [PATCH 099/203] added fn sub, tests and default ref evaluation after edge creations --- checkov/cloudformation/cfn_utils.py | 19 +- .../graph_components/block_types.py | 10 - .../graph_builder/graph_to_definitions.py | 5 +- .../graph_builder/local_graph.py | 111 +++++++---- checkov/cloudformation/parser/__init__.py | 4 +- checkov/cloudformation/parser/cfn_keywords.py | 11 ++ checkov/cloudformation/runner.py | 17 +- .../resources/edges_json/test.json | 179 ++++++++++++++++++ .../resources/edges_yaml/test.yaml | 83 ++++++++ .../resources/{ => vertices}/test.json | 0 .../resources/{ => vertices}/test.yaml | 0 .../graph/graph_builder/test_local_graph.py | 74 +++++++- tests/cloudformation/utils/test_cfn_utils.py | 22 +-- 13 files changed, 457 insertions(+), 78 deletions(-) create mode 100644 tests/cloudformation/graph/graph_builder/resources/edges_json/test.json create mode 100644 tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml rename tests/cloudformation/graph/graph_builder/resources/{ => vertices}/test.json (100%) rename tests/cloudformation/graph/graph_builder/resources/{ => vertices}/test.yaml (100%) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index c020e9641c..2cbfa4f355 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -8,8 +8,7 @@ from checkov.cloudformation.checks.resource.base_registry import Registry from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser, ENDLINE, STARTLINE -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections -from checkov.cloudformation.parser import parse +from checkov.cloudformation.parser import parse, TemplateSections from checkov.cloudformation.parser.node import dict_node, list_node, str_node from checkov.common.runners.base_runner import filter_ignored_paths from checkov.runner_filter import RunnerFilter @@ -133,7 +132,7 @@ def build_definitions_context( for file_path_definition, definition in file_path_definitions.items(): if ( isinstance(file_path_definition, str_node) - and file_path_definition.upper() in CloudformationTemplateSections.__members__ + and file_path_definition.upper() in TemplateSections.__members__ and isinstance(definition, dict_node) ): # iterate on the actual objects of each definition @@ -165,7 +164,7 @@ def build_definitions_context( [file_path, str(file_path_definition), str(attribute)], {"start_line": start_line, "end_line": end_line, "code_lines": code_lines}, ) - if file_path_definition.upper() == CloudformationTemplateSections.RESOURCES.value.upper(): + if file_path_definition.upper() == TemplateSections.RESOURCES.value.upper(): skipped_checks = ContextParser.collect_skip_comments(code_lines) dpath.new( definitions_context, @@ -189,7 +188,8 @@ def create_file_abs_path(root_folder: str, cf_file: str) -> str: def create_definitions( - root_folder: str, files: Optional[List[str]] = None, runner_filter: RunnerFilter = RunnerFilter() + root_folder: str, files: Optional[List[str]] = None, + runner_filter: RunnerFilter = RunnerFilter(), is_evaluate_default_refs: bool = True ) -> Tuple[Dict[str, dict_node], Dict[str, List[Tuple[int, str]]]]: definitions = {} definitions_raw = {} @@ -208,10 +208,15 @@ def create_definitions( } definitions_raw = {k: v for k, v in definitions_raw.items() if k in definitions.keys()} + if is_evaluate_default_refs: + evaluate_default_refs(definitions, definitions_raw) + return definitions, definitions_raw + + +def evaluate_default_refs(definitions, definitions_raw): for cf_file in definitions.keys(): cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) logging.debug( "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) ) - cf_context_parser.evaluate_default_refs() - return definitions, definitions_raw + cf_context_parser.evaluate_default_refs() \ No newline at end of file diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 1242fa6c56..370ad6d22d 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -1,5 +1,4 @@ from dataclasses import dataclass -from enum import Enum from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType @@ -15,12 +14,3 @@ class BlockType(CommonBlockType): OUTPUT = "outputs" -class CloudformationTemplateSections(str, Enum): - RESOURCES = "Resources" - METADATA = "Metadata" - PARAMETERS = "Parameters" - RULES = "Rules" - MAPPINGS = "Mappings" - CONDITIONS = "Conditions" - TRANSFORM = "Transform" - OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/graph_builder/graph_to_definitions.py b/checkov/cloudformation/graph_builder/graph_to_definitions.py index 3f967ff6f1..d538f0d18f 100644 --- a/checkov/cloudformation/graph_builder/graph_to_definitions.py +++ b/checkov/cloudformation/graph_builder/graph_to_definitions.py @@ -1,7 +1,8 @@ import os from typing import List, Dict, Any, Tuple -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections, BlockType +from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType +from checkov.cloudformation.parser import TemplateSections from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock from checkov.cloudformation.parser.node import dict_node @@ -15,7 +16,7 @@ def convert_graph_vertices_to_definitions( if vertex.block_type != BlockType.RESOURCE: continue block_path = vertex.path - block_type = CloudformationTemplateSections.RESOURCES.value if vertex.block_type == 'resource' else vertex.block_type + block_type = TemplateSections.RESOURCES.value if vertex.block_type == 'resource' else vertex.block_type block_name = vertex.name.split('.')[-1] # vertex.name is "type.name" so type.name -> [type, name] definition = { diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 6568a04b5f..b942c0741b 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -1,13 +1,16 @@ import logging +import re +from inspect import ismethod from typing import Dict, Any import dpath.util import six from cfnlint.template import Template -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections, BlockType +from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock -from checkov.cloudformation.parser.cfn_keywords import IntrinsicFunctions, ConditionFunctions, ResourceAttributes +from checkov.cloudformation.parser.cfn_keywords import IntrinsicFunctions, ConditionFunctions, ResourceAttributes, \ + TemplateSections from checkov.cloudformation.parser.node import dict_node from checkov.common.graph.graph_builder import Edge from checkov.common.graph.graph_builder.local_graph import LocalGraph @@ -53,23 +56,23 @@ def extract_resource_attributes(resource: dict_node) -> dict_node: return attributes for file_path, file_conf in self.definitions.items(): - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.RESOURCES, + self._create_section_vertices(file_path, file_conf, TemplateSections.RESOURCES, BlockType.RESOURCE, extract_resource_attributes) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.OUTPUTS, BlockType.OUTPUT) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.MAPPINGS, BlockType.MAPPING) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.CONDITIONS, + self._create_section_vertices(file_path, file_conf, TemplateSections.OUTPUTS, BlockType.OUTPUT) + self._create_section_vertices(file_path, file_conf, TemplateSections.MAPPINGS, BlockType.MAPPING) + self._create_section_vertices(file_path, file_conf, TemplateSections.CONDITIONS, BlockType.CONDITION) - self._create_section_vertices(file_path, file_conf, CloudformationTemplateSections.PARAMETERS, + self._create_section_vertices(file_path, file_conf, TemplateSections.PARAMETERS, BlockType.PARAMETER) for i, vertex in enumerate(self.vertices): self.vertices_by_block_type[vertex.block_type].append(i) self.vertices_block_name_map[vertex.block_type][vertex.name].append(i) - def _create_section_vertices(self, file_path: str, file_conf: dict, section: CloudformationTemplateSections, + def _create_section_vertices(self, file_path: str, file_conf: dict, section: TemplateSections, block_type: str, attributes_operator: callable = lambda a: a) -> None: for name, obj in get_only_dict_items(file_conf.get(section.value, {})).items(): - is_resources_section = section == CloudformationTemplateSections.RESOURCES + is_resources_section = section == TemplateSections.RESOURCES attributes = attributes_operator(obj) block_name = name if not is_resources_section else f"{obj.get('Type', 'UnTyped')}.{name}" config = obj if not is_resources_section else obj.get("Properties") @@ -96,7 +99,7 @@ def _add_resource_attr_connections(self, attribute): vertex_path = vertex.path vertex_name = vertex.name.split('.')[-1] vertex_definition = dpath.get(self.definitions, - [vertex_path, CloudformationTemplateSections.RESOURCES.value, + [vertex_path, TemplateSections.RESOURCES.value, vertex_name]) target_ids = vertex_definition.get(attribute) if isinstance(target_ids, (list, six.string_types)): @@ -107,35 +110,43 @@ def _add_resource_attr_connections(self, attribute): dest_vertex_index = self._vertices_indexes[vertex_path][target_id] self._create_edge(origin_node_index, dest_vertex_index, label=attribute) + def _extract_source_value_attrs(self, matching_path): + # matching_path for Resource = [template_section, source_id, 'Properties', ... , key, value] + # matching_path otherwise = # matching_path for Resource = [template_section, source_id, ... , key, value] + # key = Ref, GetAtt, etc... + template_section = matching_path[0] + source_id = matching_path[1] + value = matching_path[-1] + attrs_starting_index = 3 if template_section == TemplateSections.RESOURCES else 2 + attributes = matching_path[attrs_starting_index:-2] + return source_id, value, attributes + def _add_fn_connections(self, key) -> None: if key not in self.SUPPORTED_FN_CONNECTION_KEYS: return + extract_target_id_func = self._connection_key_func.get(key, None) + if not ismethod(extract_target_id_func): + return + for file_path, template in self._templates.items(): matching_paths = template.search_deep_keys(key) for matching_path in matching_paths: - # matching_path = [ref_type, source_id, 'Properties', ... , key, value] - # value might be a string or a list of strings - source_id = matching_path[1] - value = matching_path[-1] - attributes = matching_path[3:-2] - - fetch_target_id_func = self._connection_key_func.get(key, None) - if fetch_target_id_func: - target_id = fetch_target_id_func(template, source_id, value) - if target_id: - origin_node_index = self._vertices_indexes[file_path][source_id] - dest_vertex_index = self._vertices_indexes[file_path][target_id] - attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int - self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) + source_id, value, attributes = self._extract_source_value_attrs(matching_path) + target_id = extract_target_id_func(template, value) + if target_id: + origin_node_index = self._vertices_indexes[file_path][source_id] + dest_vertex_index = self._vertices_indexes[file_path][target_id] + attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int + self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) - def _fetch_if_target_id(self, template, source_id, value) -> int: + def _fetch_if_target_id(self, template, value) -> int: target_id = None # value = [condition_name, value_if_true, value_if_false] if isinstance(value, list) and len(value) == 3 and (self._is_condition(template, value[0])): target_id = value[0] return target_id - def _fetch_getatt_target_id(self, template, source_id, value) -> int: + def _fetch_getatt_target_id(self, template, value) -> int: """ might be one of the 2 following notations: 1st: { "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] } 2nd: { "!GetAtt" : "logicalNameOfResource.attributeName" } """ @@ -152,22 +163,55 @@ def _fetch_getatt_target_id(self, template, source_id, value) -> int: return target_id - def _fetch_ref_target_id(self, template, source_id, value) -> int: + def _fetch_ref_target_id(self, template, value) -> int: target_id = None # value might be a string or a list of strings if isinstance(value, (six.text_type, six.string_types, int)) \ - and (self._is_resource(template, source_id)) \ and ((self._is_resource(template, value)) or (self._is_parameter(template, value))): target_id = value return target_id - def _fetch_findinmap_target_id(self, template, source_id, value) -> int: + def _fetch_findinmap_target_id(self, template, value) -> int: target_id = None # value = [ MapName, TopLevelKey, SecondLevelKey ] if isinstance(value, list) and len(value) == 3 and (self._is_mapping(template, value[0])): target_id = value[0] return target_id + def _add_fn_sub_connections(self): + for file_path, template in self._templates.items(): + # add edges for "Fn::Sub" tags. E.g. { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } + sub_objs = template.search_deep_keys(IntrinsicFunctions.SUB.value) + for sub_obj in sub_objs: + sub_parameters = [] + sub_parameter_values = {} + source_id, value, attributes = self._extract_source_value_attrs(sub_obj) + + if isinstance(value, list): + if not value: + continue + if len(value) == 2: + sub_parameter_values = value[1] + sub_parameters = self._find_fn_sub_parameter(value[0]) + elif isinstance(value, (six.text_type, six.string_types)): + sub_parameters = self._find_fn_sub_parameter(value) + + for sub_parameter in sub_parameters: + if sub_parameter not in sub_parameter_values: + if '.' in sub_parameter: + sub_parameter = sub_parameter.split('.')[0] + origin_node_index = self._vertices_indexes[file_path][source_id] + dest_vertex_index = self._vertices_indexes[file_path][sub_parameter] + attributes_joined = '.'.join(map(str, + attributes)) # mapping all attributes to str because one of the attrs might be an int + self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) + + @staticmethod + def _find_fn_sub_parameter(string): + """Search string for tokenized fields""" + regex = re.compile(r'\${([a-zA-Z0-9.]*)}') + return regex.findall(string) + def _create_edges(self) -> None: self._add_resource_attr_connections(ResourceAttributes.DEPENDS_ON.value) self._add_resource_attr_connections(IntrinsicFunctions.CONDITION.value) @@ -175,6 +219,7 @@ def _create_edges(self) -> None: self._add_fn_connections(ConditionFunctions.IF.value) self._add_fn_connections(IntrinsicFunctions.REF.value) self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP.value) + self._add_fn_sub_connections() def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: str) -> None: if origin_vertex_index == dest_vertex_index: @@ -189,22 +234,22 @@ def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: @staticmethod def _is_parameter(template, identifier): """Check if the identifier is that of a Parameter""" - return template.template.get(CloudformationTemplateSections.PARAMETERS, {}).get(identifier, {}) + return template.template.get(TemplateSections.PARAMETERS, {}).get(identifier, {}) @staticmethod def _is_mapping(template, identifier): """Check if the identifier is that of a Mapping""" - return template.template.get(CloudformationTemplateSections.MAPPINGS, {}).get(identifier, {}) + return template.template.get(TemplateSections.MAPPINGS, {}).get(identifier, {}) @staticmethod def _is_condition(template, identifier): """Check if the identifier is that of a Condition""" - return template.template.get(CloudformationTemplateSections.CONDITIONS, {}).get(identifier, {}) + return template.template.get(TemplateSections.CONDITIONS, {}).get(identifier, {}) @staticmethod def _is_resource(template, identifier): """Check if the identifier is that of a Resource""" - return template.template.get(CloudformationTemplateSections.RESOURCES, {}).get(identifier, {}) + return template.template.get(TemplateSections.RESOURCES, {}).get(identifier, {}) def get_only_dict_items(origin_dict: Dict[str, Any]) -> Dict[str, Dict[str, Any]]: diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index 4ca906a193..dc350606d4 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -4,7 +4,7 @@ from checkov.cloudformation.parser import cfn_yaml, cfn_json from checkov.cloudformation.parser.node import dict_node -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections +from checkov.cloudformation.parser.cfn_keywords import TemplateSections from yaml.parser import ScannerError from yaml import YAMLError @@ -44,7 +44,7 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple except YAMLError as err: pass - resources = template.get(CloudformationTemplateSections.RESOURCES.value) + resources = template.get(TemplateSections.RESOURCES.value) if resources: if '__startline__' in resources: resources.pop('__startline__') diff --git a/checkov/cloudformation/parser/cfn_keywords.py b/checkov/cloudformation/parser/cfn_keywords.py index d610cfcadd..7dac8fe097 100644 --- a/checkov/cloudformation/parser/cfn_keywords.py +++ b/checkov/cloudformation/parser/cfn_keywords.py @@ -32,3 +32,14 @@ class ResourceAttributes(str, Enum): METADATA = "Metadata" UPDATE_POLICY = "UpdatePolicy" UPDATE_REPLACE_POLICY = "UpdateReplacePolicy" + + +class TemplateSections(str, Enum): + RESOURCES = "Resources" + METADATA = "Metadata" + PARAMETERS = "Parameters" + RULES = "Rules" + MAPPINGS = "Mappings" + CONDITIONS = "Conditions" + TRANSFORM = "Transform" + OUTPUTS = "Outputs" \ No newline at end of file diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index bf7bd510f0..7d2bfd272b 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -3,10 +3,10 @@ from typing import Optional, List from checkov.cloudformation import cfn_utils -from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context +from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context, evaluate_default_refs from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections +from checkov.cloudformation.parser import TemplateSections from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph from checkov.cloudformation.graph_manager import CloudformationGraphManager @@ -52,17 +52,18 @@ def run( report = Report(self.check_type) if self.context is None or self.definitions is None or self.breadcrumbs is None: - self.definitions, self.definitions_raw = create_definitions(root_folder, files, runner_filter) + self.definitions, self.definitions_raw = create_definitions(root_folder, files, runner_filter, False) if external_checks_dir: for directory in external_checks_dir: cfn_registry.load_external_checks(directory) self.graph_registry.load_external_checks(directory) - self.context = build_definitions_context(self.definitions, self.definitions_raw, root_folder) logging.info("creating cloudformation graph") local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(local_graph.vertices, root_folder) + evaluate_default_refs(self.definitions, self.definitions_raw) + self.context = build_definitions_context(self.definitions, self.definitions_raw, root_folder) # run checks self.check_definitions(root_folder, runner_filter, report) @@ -78,13 +79,13 @@ def check_definitions(self, root_folder, runner_filter, report): cf_file = f"/{os.path.relpath(file_abs_path, root_folder)}" - if isinstance(definition, dict) and CloudformationTemplateSections.RESOURCES in definition.keys(): - for resource_name, resource in definition[CloudformationTemplateSections.RESOURCES].items(): + if isinstance(definition, dict) and TemplateSections.RESOURCES in definition.keys(): + for resource_name, resource in definition[TemplateSections.RESOURCES].items(): resource_id = ContextParser.extract_cf_resource_id(resource, resource_name) # check that the resource can be parsed as a CF resource if resource_id: resource_context = self.context[file_abs_path][ - CloudformationTemplateSections.RESOURCES][resource_name] + TemplateSections.RESOURCES][resource_name] entity_lines_range = [resource_context['start_line'], resource_context['end_line']] entity_code_lines = resource_context['code_lines'] if entity_lines_range and entity_code_lines: @@ -121,7 +122,7 @@ def get_graph_checks_report(self, root_folder: str, runner_filter: RunnerFilter) entity_file_abs_path = entity.get(CustomAttributes.FILE_PATH) entity_file_path = scanned_file = f"/{os.path.relpath(entity_file_abs_path, root_folder)}" entity_name = entity.get(CustomAttributes.BLOCK_NAME).split(".")[1] - entity_context = self.context[entity_file_abs_path][CloudformationTemplateSections.RESOURCES][ + entity_context = self.context[entity_file_abs_path][TemplateSections.RESOURCES][ entity_name ] diff --git a/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json b/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json new file mode 100644 index 0000000000..1e45ec20ee --- /dev/null +++ b/tests/cloudformation/graph/graph_builder/resources/edges_json/test.json @@ -0,0 +1,179 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "EnvType": { + "Description": "Environment type.", + "Default": "test", + "Type": "String", + "AllowedValues": [ + "prod", + "dev", + "test" + ], + "ConstraintDescription": "must specify prod, dev, or test." + }, + "DataBucketName": { + "Description": "Bucket Name", + "Type": "String", + "Default": "bucket_name" + } + }, + "Mappings": { + "RegionMap": { + "us-east-1": { + "AMI": "ami-0ff8a91507f77f867" + }, + "us-west-1": { + "AMI": "ami-0bdb828fd58c52235" + }, + "us-west-2": { + "AMI": "ami-a0cfeed8" + }, + "eu-west-1": { + "AMI": "ami-047bb4163c506cd98" + }, + "sa-east-1": { + "AMI": "ami-07b14488da8ea02a0" + }, + "ap-southeast-1": { + "AMI": "ami-08569b978cc4dfa10" + }, + "ap-southeast-2": { + "AMI": "ami-09b42976632b27e9b" + }, + "ap-northeast-1": { + "AMI": "ami-06cd52961ce9f0d85" + } + } + }, + "Conditions": { + "CreateProdResources": { + "Fn::Equals": [ + { + "Ref": "EnvType" + }, + "prod" + ] + }, + "CreateDevResources": { + "Fn::Equals": [ + { + "Ref": "EnvType" + }, + "dev" + ] + } + }, + "Resources": { + "EC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ] + }, + "InstanceType": { + "Fn::If": [ + "CreateProdResources", + "c1.xlarge", + { + "Fn::If": [ + "CreateDevResources", + "m1.large", + "m1.small" + ] + } + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": [ + "ec2-${Environment}", + { + "Environment": { + "Ref": "EnvType" + } + } + ] + } + } + ] + } + }, + "MountPoint": { + "Type": "AWS::EC2::VolumeAttachment", + "Condition": "CreateProdResources", + "Properties": { + "InstanceId": { + "Ref": "EC2Instance" + }, + "VolumeId": { + "Ref": "NewVolume" + }, + "Device": "/dev/sdh" + } + }, + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Condition": "CreateProdResources", + "Properties": { + "Size": 100, + "AvailabilityZone": { + "Fn::GetAtt": [ + "EC2Instance", + "AvailabilityZone" + ] + } + } + }, + "DataBucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Delete", + "DependsOn": "EC2Instance", + "Properties": { + "BucketName": { + "Ref": "DataBucketName" + }, + "AccessControl": "PublicRead", + "Tags": [ + { + "Key": "Name", + "Value": { + "Fn::Sub": "${AWS::AccountId}-${DataBucketName}-${EnvType}" + } + } + ] + } + } + }, + "Outputs": { + "EC2InstanceId": { + "Description": "Web Host Public DNS Name", + "Value": { + "Ref": "EC2Instance" + } + }, + "EC2PublicDNS": { + "Description": "Web Host Public DNS Name", + "Value": { + "Fn::GetAtt": [ + "EC2Instance", + "PublicDnsName" + ] + } + }, + "DataBucketUniqueId": { + "Description": "Data Bucket Name", + "Value": { + "Fn::Sub": "DataBucket-${DataBucket}-${DataBucketName}" + } + } + } +} \ No newline at end of file diff --git a/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml b/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml new file mode 100644 index 0000000000..de346bea31 --- /dev/null +++ b/tests/cloudformation/graph/graph_builder/resources/edges_yaml/test.yaml @@ -0,0 +1,83 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + EnvType: + Description: Environment type. + Default: test + Type: String + AllowedValues: [prod, dev, test] + ConstraintDescription: must specify prod, dev, or test. + DataBucketName: + Description: Bucket Name + Type: String + Default: bucket_name + +Mappings: + RegionMap: + us-east-1: + AMI: "ami-0ff8a91507f77f867" + us-west-1: + AMI: "ami-0bdb828fd58c52235" + us-west-2: + AMI: "ami-a0cfeed8" + eu-west-1: + AMI: "ami-047bb4163c506cd98" + sa-east-1: + AMI: "ami-07b14488da8ea02a0" + ap-southeast-1: + AMI: "ami-08569b978cc4dfa10" + ap-southeast-2: + AMI: "ami-09b42976632b27e9b" + ap-northeast-1: + AMI: "ami-06cd52961ce9f0d85" + +Conditions: + CreateProdResources: !Equals [!Ref EnvType, prod] + CreateDevResources: !Equals [!Ref EnvType, "dev"] + +Resources: + EC2Instance: + Type: "AWS::EC2::Instance" + Properties: + ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI] + InstanceType: !If [CreateProdResources, c1.xlarge, !If [CreateDevResources, m1.large, m1.small]] + Tags: + - Key: Name + Value: !Sub + - ec2-${Environment} + - Environment: !Ref EnvType + MountPoint: + Type: "AWS::EC2::VolumeAttachment" + Condition: CreateProdResources + Properties: + InstanceId: !Ref EC2Instance + VolumeId: !Ref NewVolume + Device: /dev/sdh + NewVolume: + Type: "AWS::EC2::Volume" + Condition: CreateProdResources + Properties: + Size: 100 + AvailabilityZone: !GetAtt EC2Instance.AvailabilityZone + DataBucket: + # Public, not encrypted, no access logs, no versioning + Type: AWS::S3::Bucket + DeletionPolicy: Delete + DependsOn: EC2Instance + Properties: + BucketName: !Ref DataBucketName + AccessControl: PublicRead + Tags: + - Key: Name + Value: !Sub "${AWS::AccountId}-${DataBucketName}-${EnvType}" + +Outputs: + EC2InstanceId: + Description: Web Host Public DNS Name + Value: !Ref EC2Instance + EC2PublicDNS: + Description: Web Host Public DNS Name + Value: !GetAtt [EC2Instance, PublicDnsName] + DataBucketUniqueId: + Description: Data Bucket Name + Value: !Sub "DataBucket-${DataBucket}-${DataBucketName}" diff --git a/tests/cloudformation/graph/graph_builder/resources/test.json b/tests/cloudformation/graph/graph_builder/resources/vertices/test.json similarity index 100% rename from tests/cloudformation/graph/graph_builder/resources/test.json rename to tests/cloudformation/graph/graph_builder/resources/vertices/test.json diff --git a/tests/cloudformation/graph/graph_builder/resources/test.yaml b/tests/cloudformation/graph/graph_builder/resources/vertices/test.yaml similarity index 100% rename from tests/cloudformation/graph/graph_builder/resources/test.yaml rename to tests/cloudformation/graph/graph_builder/resources/vertices/test.yaml diff --git a/tests/cloudformation/graph/graph_builder/test_local_graph.py b/tests/cloudformation/graph/graph_builder/test_local_graph.py index 615ca78e79..0b380b4800 100644 --- a/tests/cloudformation/graph/graph_builder/test_local_graph.py +++ b/tests/cloudformation/graph/graph_builder/test_local_graph.py @@ -3,10 +3,9 @@ from checkov.cloudformation.cfn_utils import create_definitions from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph -from checkov.cloudformation.parser import parse +from checkov.cloudformation.parser import parse, TemplateSections from checkov.runner_filter import RunnerFilter TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) @@ -21,6 +20,7 @@ def test_build_graph_with_single_resource(self): local_graph = CloudformationLocalGraph(definitions) local_graph.build_graph(render_variables=False) self.assertEqual(1, len(local_graph.vertices)) + self.assertEqual(0, len(local_graph.edges)) resource_vertex = local_graph.vertices[0] self.assertEqual("AWS::ApiGateway::Stage.MyStage", resource_vertex.name) self.assertEqual("AWS::ApiGateway::Stage.MyStage", resource_vertex.id) @@ -44,7 +44,7 @@ def test_build_graph_with_params_outputs(self): self.assertEqual(len([v for v in local_graph.vertices if v.block_type == BlockType.MAPPING]), 1) def test_vertices_from_local_graph(self): - resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, './resources')) + resources_dir = os.path.realpath(os.path.join(TEST_DIRNAME, './resources/vertices')) definitions, _ = create_definitions(root_folder=resources_dir, files=None, runner_filter=RunnerFilter()) local_graph = CloudformationLocalGraph(definitions) local_graph.build_graph(render_variables=False) @@ -53,15 +53,79 @@ def test_vertices_from_local_graph(self): self.assertIsNotNone(definitions) self.assertEqual(len(definitions.items()), 2) - test_yaml_definitions = definitions[os.path.join(resources_dir, 'test.yaml')][CloudformationTemplateSections.RESOURCES] + test_yaml_definitions = definitions[os.path.join(resources_dir, 'test.yaml')][TemplateSections.RESOURCES] self.assertEqual(len(test_yaml_definitions.keys()), 2) self.assertIn('MyDB', test_yaml_definitions.keys()) self.assertIn('MySourceQueue', test_yaml_definitions.keys()) - test_json_definitions = definitions[os.path.join(resources_dir, 'test.json')][CloudformationTemplateSections.RESOURCES] + test_json_definitions = definitions[os.path.join(resources_dir, 'test.json')][TemplateSections.RESOURCES] self.assertEqual(len(test_json_definitions.keys()), 2) self.assertIn('MyDB', test_json_definitions.keys()) self.assertIn('MySourceQueue', test_json_definitions.keys()) self.assertIsNotNone(breadcrumbs) self.assertDictEqual(breadcrumbs, {}) # Will be changed when we add breadcrumbs to cfn vertices + + def test_yaml_edges(self): + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, 'resources/edges_yaml')) + self.validate_edges_count(root_dir) + + def test_json_edges(self): + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, 'resources/edges_json')) + self.validate_edges_count(root_dir) + + def validate_edges_count(self, root_dir) -> None: + expected_out_edges_count = { + 'parameters.EnvType': 0, + 'parameters.DataBucketName': 0, + 'mappings.RegionMap': 0, + 'conditions.CreateProdResources': 1, + 'conditions.CreateDevResources': 1, + 'AWS::EC2::Instance.EC2Instance': 4, + 'AWS::EC2::VolumeAttachment.MountPoint': 3, + 'AWS::EC2::Volume.NewVolume': 2, + 'AWS::S3::Bucket.DataBucket': 4, + 'outputs.EC2InstanceId': 1, + 'outputs.EC2PublicDNS': 1, + 'outputs.DataBucketUniqueId': 2 + } + + expected_in_edges_count = { + 'parameters.EnvType': 4, + 'parameters.DataBucketName': 3, + 'mappings.RegionMap': 1, + 'conditions.CreateProdResources': 3, + 'conditions.CreateDevResources': 1, + 'AWS::EC2::Instance.EC2Instance': 5, + 'AWS::EC2::VolumeAttachment.MountPoint': 0, + 'AWS::EC2::Volume.NewVolume': 1, + 'AWS::S3::Bucket.DataBucket': 1, + 'outputs.EC2InstanceId': 0, + 'outputs.EC2PublicDNS': 0, + 'outputs.DataBucketUniqueId': 0 + } + + definitions, _ = create_definitions(root_folder=root_dir, files=None, runner_filter=RunnerFilter()) + local_graph = CloudformationLocalGraph(definitions) + local_graph.build_graph(render_variables=False) + idx_to_vertex_id = {idx: vertex.id for idx, vertex in enumerate(local_graph.vertices)} + + # we check that each entity in the template file has the right amount of out edges_yaml + out_edges_overall_count = 0 + for vertex_index, actual_out_edges in local_graph.out_edges.items(): + vertex_id = idx_to_vertex_id[vertex_index] + self.assertEqual(len(actual_out_edges), expected_out_edges_count[vertex_id]) + out_edges_overall_count += len(actual_out_edges) + + # we check that each entity in the template file has the right amount of in edges_yaml + in_edges_overall_count = 0 + for vertex_index, actual_in_edges in local_graph.in_edges.items(): + vertex_id = idx_to_vertex_id[vertex_index] + self.assertEqual(len(actual_in_edges), expected_in_edges_count[vertex_id]) + in_edges_overall_count += len(actual_in_edges) + + # we check that the overall amount of out edges_yaml equals the overall amount of in edges_yaml + # and the overall amount of edges_yaml + self.assertEqual(out_edges_overall_count, in_edges_overall_count) + self.assertEqual(out_edges_overall_count, len(local_graph.edges)) + diff --git a/tests/cloudformation/utils/test_cfn_utils.py b/tests/cloudformation/utils/test_cfn_utils.py index 29e7895ed0..4504467d09 100644 --- a/tests/cloudformation/utils/test_cfn_utils.py +++ b/tests/cloudformation/utils/test_cfn_utils.py @@ -3,7 +3,7 @@ from checkov.cloudformation.cfn_utils import get_folder_definitions, build_definitions_context from checkov.cloudformation.parser.node import dict_node -from checkov.cloudformation.graph_builder.graph_components.block_types import CloudformationTemplateSections +from checkov.cloudformation.parser import TemplateSections TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__)) RELATIVE_PATH = 'file_formats' @@ -25,20 +25,20 @@ def validate_definition_lines(self, definition: dict_node, start_line, end_line, def test_parameters_value(self): # Asserting test.yaml file yaml_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(yaml_parameters) self.assertEqual(len(yaml_parameters), 2) self.validate_definition_lines(yaml_parameters['KmsMasterKeyId'], 4, 7, 4) self.validate_definition_lines(yaml_parameters['DBName'], 8, 11, 4) # Asserting test2.yaml file yaml2_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(yaml2_parameters) self.assertEqual(len(yaml2_parameters), 1) self.validate_definition_lines(yaml2_parameters['LatestAmiId'], 4, 6, 3) # Asserting json file json_parameters = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.PARAMETERS.value] + TemplateSections.PARAMETERS.value] self.assertIsNotNone(json_parameters) self.assertEqual(len(json_parameters), 2) self.validate_definition_lines(json_parameters['KmsMasterKeyId'], 5, 9, 5) @@ -47,14 +47,14 @@ def test_parameters_value(self): def test_resources_value(self): # Asserting test.yaml file yaml_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(yaml_resources) self.assertEqual(len(yaml_resources), 2) self.validate_definition_lines(yaml_resources['MySourceQueue'], 13, 16, 4) self.validate_definition_lines(yaml_resources['MyDB'], 17, 26, 10) # Asserting test2.yaml file yaml2_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(yaml2_resources) self.assertEqual(len(yaml2_resources), 4) self.validate_definition_lines(yaml2_resources['WebHostStorage'], 12, 23, 12) @@ -63,7 +63,7 @@ def test_resources_value(self): self.validate_definition_lines(yaml2_resources['DBAppInstance'], 52, 184, 133) # Asserting json file json_resources = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.RESOURCES.value] + TemplateSections.RESOURCES.value] self.assertIsNotNone(json_resources) self.assertEqual(len(json_resources), 2) self.validate_definition_lines(json_resources['MySourceQueue'], 17, 22, 6) @@ -72,13 +72,13 @@ def test_resources_value(self): def test_outputs_value(self): # Asserting test.yaml file yaml_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(yaml_outputs) self.assertEqual(len(yaml_outputs), 1) self.validate_definition_lines(yaml_outputs['DBAppPublicDNS'], 28, 30, 3) # Asserting test2.yaml file yaml2_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test2.yaml')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(yaml2_outputs) self.assertEqual(len(yaml2_outputs), 5) self.validate_definition_lines(yaml2_outputs['EC2PublicDNS'], 187, 191, 5) @@ -88,14 +88,14 @@ def test_outputs_value(self): self.validate_definition_lines(yaml2_outputs['UserName'], 204, 206, 3) # Asserting json file json_outputs = self.definitions_context[os.path.join(self.test_root_dir, 'test.json')][ - CloudformationTemplateSections.OUTPUTS.value] + TemplateSections.OUTPUTS.value] self.assertIsNotNone(json_outputs) self.assertEqual(len(json_outputs), 1) self.validate_definition_lines(json_outputs['DBAppPublicDNS'], 35, 38, 4) def test_skipped_check_exists(self): skipped_checks = self.definitions_context[os.path.join(self.test_root_dir, 'test.yaml')][ - CloudformationTemplateSections.RESOURCES.value]['MyDB']['skipped_checks'] + TemplateSections.RESOURCES.value]['MyDB']['skipped_checks'] self.assertEqual(len(skipped_checks), 1) self.assertEqual(skipped_checks[0]['id'], 'CKV_AWS_16') self.assertEqual(skipped_checks[0]['suppress_comment'], From f4e40944c40b930e2f99579693cdd0d9b8daf3d2 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Sun, 15 Aug 2021 23:57:40 +0300 Subject: [PATCH 100/203] fixed placement of definitions context build --- checkov/cloudformation/runner.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index 7d2bfd272b..e313f63af9 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -57,13 +57,13 @@ def run( for directory in external_checks_dir: cfn_registry.load_external_checks(directory) self.graph_registry.load_external_checks(directory) + self.context = build_definitions_context(self.definitions, self.definitions_raw, root_folder) logging.info("creating cloudformation graph") local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) + evaluate_default_refs(self.definitions, self.definitions_raw) self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(local_graph.vertices, root_folder) - evaluate_default_refs(self.definitions, self.definitions_raw) - self.context = build_definitions_context(self.definitions, self.definitions_raw, root_folder) # run checks self.check_definitions(root_folder, runner_filter, report) From ef302fbfe74732c5bdeb7c1d94c80fb9975089ad Mon Sep 17 00:00:00 2001 From: PH Date: Mon, 16 Aug 2021 13:08:01 +0100 Subject: [PATCH 101/203] Update Dockerfile --- Dockerfile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Dockerfile b/Dockerfile index e39ad6592a..475299e08d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,9 @@ FROM python:3.7-alpine +ARG UID=1000 +ARG GID=1000 +ARG USERNAME=checkov + RUN apk update && apk add --no-cache git util-linux bash openssl RUN pip install --no-cache-dir -U checkov @@ -9,5 +13,14 @@ COPY ./github_action_resources/entrypoint.sh /entrypoint.sh COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json +RUN addgroup -S -g ${GID} ${USERNAME} && \ + adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} && \ + chown -R ${USERNAME}:0 /entrypoint.sh && \ + chown -R ${USERNAME}:0 /usr/local/lib/ && \ + chmod -R g=u /entrypoint.sh && \ + chmod -R g=u /usr/local/lib/ + +USER ${UID} + # Code file to execute when the docker container starts up (`entrypoint.sh`) ENTRYPOINT ["/entrypoint.sh"] From 055815a146f4d8a907f5056a64d92c145fc5860c Mon Sep 17 00:00:00 2001 From: PH Date: Mon, 16 Aug 2021 13:41:04 +0100 Subject: [PATCH 102/203] . --- Dockerfile | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 475299e08d..eca10fff98 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,16 +9,12 @@ RUN apk update && apk add --no-cache git util-linux bash openssl RUN pip install --no-cache-dir -U checkov RUN wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh -COPY ./github_action_resources/entrypoint.sh /entrypoint.sh -COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json -COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json - RUN addgroup -S -g ${GID} ${USERNAME} && \ - adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} && \ - chown -R ${USERNAME}:0 /entrypoint.sh && \ - chown -R ${USERNAME}:0 /usr/local/lib/ && \ - chmod -R g=u /entrypoint.sh && \ - chmod -R g=u /usr/local/lib/ + adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} + +COPY --chown=${USERNAME}:0 ./github_action_resources/entrypoint.sh /entrypoint.sh +COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json +COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json USER ${UID} From 373be88698953b748e0d13e37e804cdaa6483385 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Mon, 16 Aug 2021 16:31:21 +0300 Subject: [PATCH 103/203] turned off ref edges creation --- checkov/cloudformation/cfn_utils.py | 3 ++- checkov/cloudformation/graph_builder/local_graph.py | 2 +- checkov/cloudformation/runner.py | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index 323c8c0bb4..964c8edae9 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -220,4 +220,5 @@ def evaluate_default_refs(definitions, definitions_raw): logging.debug( "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) ) - cf_context_parser.evaluate_default_refs() \ No newline at end of file + cf_context_parser.evaluate_default_refs() + return definitions, definitions_raw \ No newline at end of file diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index b942c0741b..a9a9e9362a 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -217,7 +217,7 @@ def _create_edges(self) -> None: self._add_resource_attr_connections(IntrinsicFunctions.CONDITION.value) self._add_fn_connections(IntrinsicFunctions.GET_ATT.value) self._add_fn_connections(ConditionFunctions.IF.value) - self._add_fn_connections(IntrinsicFunctions.REF.value) + #self._add_fn_connections(IntrinsicFunctions.REF.value) self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP.value) self._add_fn_sub_connections() diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index e313f63af9..29e4ce0af0 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -1,6 +1,7 @@ import logging import os from typing import Optional, List +from copy import deepcopy from checkov.cloudformation import cfn_utils from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context, evaluate_default_refs @@ -52,7 +53,7 @@ def run( report = Report(self.check_type) if self.context is None or self.definitions is None or self.breadcrumbs is None: - self.definitions, self.definitions_raw = create_definitions(root_folder, files, runner_filter, False) + self.definitions, self.definitions_raw = create_definitions(root_folder, files, runner_filter) if external_checks_dir: for directory in external_checks_dir: cfn_registry.load_external_checks(directory) @@ -61,7 +62,6 @@ def run( logging.info("creating cloudformation graph") local_graph = self.graph_manager.build_graph_from_definitions(self.definitions) - evaluate_default_refs(self.definitions, self.definitions_raw) self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(local_graph.vertices, root_folder) From 1eed20e15e3160fda8f8a6b6071d4a1ab3cff685 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Mon, 16 Aug 2021 16:44:33 +0300 Subject: [PATCH 104/203] added back template sections to block_types file in order to support bc, reverted back cfn_utils create_definitions --- checkov/cloudformation/cfn_utils.py | 11 ++--------- .../graph_builder/graph_components/block_types.py | 10 ++++++++++ checkov/cloudformation/runner.py | 3 +-- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index 964c8edae9..62e48f5429 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -189,8 +189,7 @@ def create_file_abs_path(root_folder: str, cf_file: str) -> str: def create_definitions( - root_folder: str, files: Optional[List[str]] = None, - runner_filter: RunnerFilter = RunnerFilter(), is_evaluate_default_refs: bool = True + root_folder: str, files: Optional[List[str]] = None, runner_filter: RunnerFilter = RunnerFilter() ) -> Tuple[Dict[str, dict_node], Dict[str, List[Tuple[int, str]]]]: definitions = {} definitions_raw = {} @@ -209,16 +208,10 @@ def create_definitions( } definitions_raw = {k: v for k, v in definitions_raw.items() if k in definitions.keys()} - if is_evaluate_default_refs: - evaluate_default_refs(definitions, definitions_raw) - return definitions, definitions_raw - - -def evaluate_default_refs(definitions, definitions_raw): for cf_file in definitions.keys(): cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) logging.debug( "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) ) cf_context_parser.evaluate_default_refs() - return definitions, definitions_raw \ No newline at end of file + return definitions, definitions_raw diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 370ad6d22d..1242fa6c56 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -1,4 +1,5 @@ from dataclasses import dataclass +from enum import Enum from checkov.common.graph.graph_builder.graph_components.block_types import BlockType as CommonBlockType @@ -14,3 +15,12 @@ class BlockType(CommonBlockType): OUTPUT = "outputs" +class CloudformationTemplateSections(str, Enum): + RESOURCES = "Resources" + METADATA = "Metadata" + PARAMETERS = "Parameters" + RULES = "Rules" + MAPPINGS = "Mappings" + CONDITIONS = "Conditions" + TRANSFORM = "Transform" + OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index 29e4ce0af0..c85d551aa1 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -1,10 +1,9 @@ import logging import os from typing import Optional, List -from copy import deepcopy from checkov.cloudformation import cfn_utils -from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context, evaluate_default_refs +from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser from checkov.cloudformation.parser import TemplateSections From a14efe3d4a96066de1cf656093d55549c5606ea1 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Mon, 16 Aug 2021 17:32:18 +0300 Subject: [PATCH 105/203] fixed tests --- .../graph_builder/local_graph.py | 28 +++++++++++++------ checkov/cloudformation/parser/__init__.py | 13 +++++---- .../graph/graph_builder/test_local_graph.py | 20 ++++++------- 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index a9a9e9362a..6f19f32d0c 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -134,10 +134,11 @@ def _add_fn_connections(self, key) -> None: source_id, value, attributes = self._extract_source_value_attrs(matching_path) target_id = extract_target_id_func(template, value) if target_id: - origin_node_index = self._vertices_indexes[file_path][source_id] - dest_vertex_index = self._vertices_indexes[file_path][target_id] - attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int - self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) + origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( + file_path, source_id, target_id, attributes) + if origin_vertex_index is None or dest_vertex_index is None: + continue + self._create_edge(origin_vertex_index, dest_vertex_index, label) def _fetch_if_target_id(self, template, value) -> int: target_id = None @@ -200,11 +201,20 @@ def _add_fn_sub_connections(self): if sub_parameter not in sub_parameter_values: if '.' in sub_parameter: sub_parameter = sub_parameter.split('.')[0] - origin_node_index = self._vertices_indexes[file_path][source_id] - dest_vertex_index = self._vertices_indexes[file_path][sub_parameter] - attributes_joined = '.'.join(map(str, - attributes)) # mapping all attributes to str because one of the attrs might be an int - self._create_edge(origin_node_index, dest_vertex_index, label=attributes_joined) + origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( + file_path, source_id, sub_parameter, attributes) + if origin_vertex_index is None or dest_vertex_index is None: + continue + self._create_edge(origin_vertex_index, dest_vertex_index, label) + + def _extract_origin_dest_label(self, file_path, source_id, target_id, attributes): + origin_vertex_index, dest_vertex_index = None, None + if dpath.search(self._vertices_indexes, [file_path, source_id]): + origin_vertex_index = dpath.get(self._vertices_indexes, [file_path, source_id]) + if dpath.search(self._vertices_indexes, [file_path, target_id]): + dest_vertex_index = dpath.get(self._vertices_indexes, [file_path, target_id]) + attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int + return origin_vertex_index, dest_vertex_index, attributes_joined @staticmethod def _find_fn_sub_parameter(string): diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index dc350606d4..0c2227edab 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -44,10 +44,11 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple except YAMLError as err: pass - resources = template.get(TemplateSections.RESOURCES.value) - if resources: - if '__startline__' in resources: - resources.pop('__startline__') - if '__endline__' in resources: - resources.pop('__endline__') + if template: + resources = template.get(TemplateSections.RESOURCES.value, None) + if resources: + if '__startline__' in resources: + resources.pop('__startline__') + if '__endline__' in resources: + resources.pop('__endline__') return template, template_lines diff --git a/tests/cloudformation/graph/graph_builder/test_local_graph.py b/tests/cloudformation/graph/graph_builder/test_local_graph.py index 0b380b4800..a30bf0c2d6 100644 --- a/tests/cloudformation/graph/graph_builder/test_local_graph.py +++ b/tests/cloudformation/graph/graph_builder/test_local_graph.py @@ -79,26 +79,26 @@ def validate_edges_count(self, root_dir) -> None: 'parameters.EnvType': 0, 'parameters.DataBucketName': 0, 'mappings.RegionMap': 0, - 'conditions.CreateProdResources': 1, - 'conditions.CreateDevResources': 1, - 'AWS::EC2::Instance.EC2Instance': 4, - 'AWS::EC2::VolumeAttachment.MountPoint': 3, + 'conditions.CreateProdResources': 0, + 'conditions.CreateDevResources': 0, + 'AWS::EC2::Instance.EC2Instance': 3, + 'AWS::EC2::VolumeAttachment.MountPoint': 1, 'AWS::EC2::Volume.NewVolume': 2, - 'AWS::S3::Bucket.DataBucket': 4, - 'outputs.EC2InstanceId': 1, + 'AWS::S3::Bucket.DataBucket': 3, + 'outputs.EC2InstanceId': 0, 'outputs.EC2PublicDNS': 1, 'outputs.DataBucketUniqueId': 2 } expected_in_edges_count = { - 'parameters.EnvType': 4, - 'parameters.DataBucketName': 3, + 'parameters.EnvType': 1, + 'parameters.DataBucketName': 2, 'mappings.RegionMap': 1, 'conditions.CreateProdResources': 3, 'conditions.CreateDevResources': 1, - 'AWS::EC2::Instance.EC2Instance': 5, + 'AWS::EC2::Instance.EC2Instance': 3, 'AWS::EC2::VolumeAttachment.MountPoint': 0, - 'AWS::EC2::Volume.NewVolume': 1, + 'AWS::EC2::Volume.NewVolume': 0, 'AWS::S3::Bucket.DataBucket': 1, 'outputs.EC2InstanceId': 0, 'outputs.EC2PublicDNS': 0, From 71ae31b2fd87c7a16589233a1f02130b521d297b Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Mon, 16 Aug 2021 17:41:35 +0300 Subject: [PATCH 106/203] added cfn lint to setup.py --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index d9f0cd62a1..78b21dd1b8 100644 --- a/setup.py +++ b/setup.py @@ -57,6 +57,7 @@ "detect-secrets", "policyuniverse", "typing-extensions", + "cfn-lint==0.53.*", ], license="Apache License 2.0", name="checkov", From 883f8ce81f7a3adcc9116502c35d7715daefc668 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 16 Aug 2021 17:47:27 +0300 Subject: [PATCH 107/203] Disable API token runs on PRs --- .github/workflows/pr-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 960b777d48..61bcd13dcf 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -75,7 +75,7 @@ jobs: BC_KEY: ${{ secrets.BC_API_KEY }} run: | sleep $((RANDOM % 11)) - ./integration_tests/prepare_data.sh ${{ matrix.python }} + ./integration_tests/prepare_data.sh 3.8 # Just making sure the API key tests don't run on PRs - name: Run integration tests run: | pipenv run pytest integration_tests From 734859f1afe4ea9cc73f8f05f38dd3db495cfbe1 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:15 +0300 Subject: [PATCH 108/203] Merge pull request #1499 from Homopatrol/master Update Dockerfile to run as a non-root user --- docs/5.Policy Index/terraform.md | 610 +++++++++++++++---------------- 1 file changed, 305 insertions(+), 305 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 9512ef6e5f..110c245816 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -205,33 +205,33 @@ nav_order: 1 | 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -388,19 +388,19 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | @@ -409,21 +409,21 @@ nav_order: 1 | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 503 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From 9e6f9a9adad46dcc7e767778fb05379c11e8252d Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:27 +0300 Subject: [PATCH 109/203] Merge pull request #1497 from n2qz/bugfix/require-junit-xml-1-9 Requires junit-xml>=1.9, fixes #1495 --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 04db2429f599198556707d08b670f5fbc23e076a Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:15 +0300 Subject: [PATCH 110/203] Merge pull request #1499 from Homopatrol/master Update Dockerfile to run as a non-root user --- docs/5.Policy Index/all.md | 602 ++++++++++++++++++------------------- 1 file changed, 301 insertions(+), 301 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index f1b850bbfc..1f301f2645 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,8 +329,8 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | @@ -344,28 +344,28 @@ nav_order: 1 | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -578,34 +578,34 @@ nav_order: 1 | 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,277 +698,277 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From b975b611bccf6c353eb0f4fd978ee663c524f47e Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:27 +0300 Subject: [PATCH 111/203] Merge pull request #1497 from n2qz/bugfix/require-junit-xml-1-9 Requires junit-xml>=1.9, fixes #1495 --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 5978298ab00670f2f15f57a77e300399096591bc Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:15 +0300 Subject: [PATCH 112/203] Merge pull request #1499 from Homopatrol/master Update Dockerfile to run as a non-root user --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 7a107970a1..c4de1a27b6 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.350' +version = '2.0.351' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 8098571ddf..b75dcfa101 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.350 +checkov==2.0.351 From 8d3a276e3b06ab20be5d262658363c7c79ae9dec Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 16 Aug 2021 18:13:42 +0300 Subject: [PATCH 113/203] Re-add Ref vertices --- checkov/cloudformation/cfn_utils.py | 7 ------ .../graph_builder/local_graph.py | 2 +- checkov/cloudformation/runner.py | 9 +++++++ .../graph/graph_builder/test_local_graph.py | 24 +++++++++---------- 4 files changed, 22 insertions(+), 20 deletions(-) diff --git a/checkov/cloudformation/cfn_utils.py b/checkov/cloudformation/cfn_utils.py index 62e48f5429..0461dcb5dc 100644 --- a/checkov/cloudformation/cfn_utils.py +++ b/checkov/cloudformation/cfn_utils.py @@ -207,11 +207,4 @@ def create_definitions( if v and isinstance(v, dict_node) and v.__contains__("Resources") and isinstance(v["Resources"], dict_node) } definitions_raw = {k: v for k, v in definitions_raw.items() if k in definitions.keys()} - - for cf_file in definitions.keys(): - cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) - logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) - ) - cf_context_parser.evaluate_default_refs() return definitions, definitions_raw diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 6f19f32d0c..6505c7c32d 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -227,7 +227,7 @@ def _create_edges(self) -> None: self._add_resource_attr_connections(IntrinsicFunctions.CONDITION.value) self._add_fn_connections(IntrinsicFunctions.GET_ATT.value) self._add_fn_connections(ConditionFunctions.IF.value) - #self._add_fn_connections(IntrinsicFunctions.REF.value) + self._add_fn_connections(IntrinsicFunctions.REF.value) self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP.value) self._add_fn_sub_connections() diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index c85d551aa1..5306ff4aed 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -1,3 +1,4 @@ +import json import logging import os from typing import Optional, List @@ -64,6 +65,14 @@ def run( self.graph_manager.save_graph(local_graph) self.definitions, self.breadcrumbs = convert_graph_vertices_to_definitions(local_graph.vertices, root_folder) + # TODO: replace with real graph rendering + for cf_file in self.definitions.keys(): + cf_context_parser = ContextParser(cf_file, self.definitions[cf_file], self.definitions_raw[cf_file]) + logging.debug( + "Template Dump for {}: {}".format(cf_file, json.dumps(self.definitions[cf_file], indent=2, default=str)) + ) + cf_context_parser.evaluate_default_refs() + # run checks self.check_definitions(root_folder, runner_filter, report) diff --git a/tests/cloudformation/graph/graph_builder/test_local_graph.py b/tests/cloudformation/graph/graph_builder/test_local_graph.py index a30bf0c2d6..5278d37c94 100644 --- a/tests/cloudformation/graph/graph_builder/test_local_graph.py +++ b/tests/cloudformation/graph/graph_builder/test_local_graph.py @@ -79,26 +79,26 @@ def validate_edges_count(self, root_dir) -> None: 'parameters.EnvType': 0, 'parameters.DataBucketName': 0, 'mappings.RegionMap': 0, - 'conditions.CreateProdResources': 0, - 'conditions.CreateDevResources': 0, - 'AWS::EC2::Instance.EC2Instance': 3, - 'AWS::EC2::VolumeAttachment.MountPoint': 1, + 'conditions.CreateProdResources': 1, + 'conditions.CreateDevResources': 1, + 'AWS::EC2::Instance.EC2Instance': 4, + 'AWS::EC2::VolumeAttachment.MountPoint': 3, 'AWS::EC2::Volume.NewVolume': 2, - 'AWS::S3::Bucket.DataBucket': 3, - 'outputs.EC2InstanceId': 0, + 'AWS::S3::Bucket.DataBucket': 4, + 'outputs.EC2InstanceId': 1, 'outputs.EC2PublicDNS': 1, 'outputs.DataBucketUniqueId': 2 } expected_in_edges_count = { - 'parameters.EnvType': 1, - 'parameters.DataBucketName': 2, + 'parameters.EnvType': 4, + 'parameters.DataBucketName': 3, 'mappings.RegionMap': 1, 'conditions.CreateProdResources': 3, 'conditions.CreateDevResources': 1, - 'AWS::EC2::Instance.EC2Instance': 3, + 'AWS::EC2::Instance.EC2Instance': 5, 'AWS::EC2::VolumeAttachment.MountPoint': 0, - 'AWS::EC2::Volume.NewVolume': 0, + 'AWS::EC2::Volume.NewVolume': 1, 'AWS::S3::Bucket.DataBucket': 1, 'outputs.EC2InstanceId': 0, 'outputs.EC2PublicDNS': 0, @@ -114,14 +114,14 @@ def validate_edges_count(self, root_dir) -> None: out_edges_overall_count = 0 for vertex_index, actual_out_edges in local_graph.out_edges.items(): vertex_id = idx_to_vertex_id[vertex_index] - self.assertEqual(len(actual_out_edges), expected_out_edges_count[vertex_id]) + self.assertEqual(len(actual_out_edges), expected_out_edges_count[vertex_id], f'{vertex_id} actually has {len(actual_out_edges)} outgoing edges, not {expected_out_edges_count[vertex_id]}') out_edges_overall_count += len(actual_out_edges) # we check that each entity in the template file has the right amount of in edges_yaml in_edges_overall_count = 0 for vertex_index, actual_in_edges in local_graph.in_edges.items(): vertex_id = idx_to_vertex_id[vertex_index] - self.assertEqual(len(actual_in_edges), expected_in_edges_count[vertex_id]) + self.assertEqual(len(actual_in_edges), expected_in_edges_count[vertex_id], f'{vertex_id} actually has {len(actual_in_edges)} outgoing edges, not {expected_in_edges_count[vertex_id]}') in_edges_overall_count += len(actual_in_edges) # we check that the overall amount of out edges_yaml equals the overall amount of in edges_yaml From 990e40f77713b18a3178b3be9f1cf06c14c18100 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 16 Aug 2021 18:35:41 +0300 Subject: [PATCH 114/203] Fix evaluation of Ref edges --- checkov/cloudformation/context_parser.py | 2 +- .../graph_builder/graph_components/block_types.py | 11 ----------- .../graph_builder/graph_to_definitions.py | 7 +++---- 3 files changed, 4 insertions(+), 16 deletions(-) diff --git a/checkov/cloudformation/context_parser.py b/checkov/cloudformation/context_parser.py index 1b2e9fa7e0..9b871f7dd0 100644 --- a/checkov/cloudformation/context_parser.py +++ b/checkov/cloudformation/context_parser.py @@ -32,7 +32,7 @@ def evaluate_default_refs(self) -> None: ref.pop() # Get rid of the 'Ref' dict key # TODO refactor into evaluations - default_value = self.cf_template.get("Parameters", {}).get(refname, {}).get("Default") + default_value = self.cf_template.get("Parameters", {}).get(refname, {}).get("Properties", {}).get("Default") if default_value is not None: logging.debug( "Replacing Ref {} in file {} with default parameter value: {}".format( diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 1242fa6c56..9333c810eb 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -13,14 +13,3 @@ class BlockType(CommonBlockType): CONDITION = "conditions" TRANSFORM = "transform" OUTPUT = "outputs" - - -class CloudformationTemplateSections(str, Enum): - RESOURCES = "Resources" - METADATA = "Metadata" - PARAMETERS = "Parameters" - RULES = "Rules" - MAPPINGS = "Mappings" - CONDITIONS = "Conditions" - TRANSFORM = "Transform" - OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/graph_builder/graph_to_definitions.py b/checkov/cloudformation/graph_builder/graph_to_definitions.py index d538f0d18f..a8ced5d5ca 100644 --- a/checkov/cloudformation/graph_builder/graph_to_definitions.py +++ b/checkov/cloudformation/graph_builder/graph_to_definitions.py @@ -4,7 +4,6 @@ from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType from checkov.cloudformation.parser import TemplateSections from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock -from checkov.cloudformation.parser.node import dict_node def convert_graph_vertices_to_definitions( @@ -13,14 +12,14 @@ def convert_graph_vertices_to_definitions( definitions: Dict[str, Dict[str, Any]] = {} breadcrumbs: Dict[str, Dict[str, Any]] = {} for vertex in vertices: - if vertex.block_type != BlockType.RESOURCE: + if vertex.block_type != BlockType.RESOURCE and vertex.block_type != BlockType.PARAMETER: continue block_path = vertex.path - block_type = TemplateSections.RESOURCES.value if vertex.block_type == 'resource' else vertex.block_type + block_type = TemplateSections.RESOURCES.value if vertex.block_type == 'resource' else TemplateSections.PARAMETERS.value block_name = vertex.name.split('.')[-1] # vertex.name is "type.name" so type.name -> [type, name] definition = { - 'Type': vertex.attributes['resource_type'], + 'Type': vertex.attributes['resource_type'] if vertex.block_type == BlockType.RESOURCE else vertex.block_type, 'Properties': vertex.config } definitions.setdefault(block_path, {}).setdefault(block_type, {}).setdefault(block_name, definition) From 5eeae4b9c8c79b0db569c3b6bc59bf773e614b99 Mon Sep 17 00:00:00 2001 From: Pandora <58219367+Homopatrol@users.noreply.github.com> Date: Mon, 16 Aug 2021 17:20:57 +0100 Subject: [PATCH 115/203] Update Dockerfile --- Dockerfile | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index eca10fff98..d95ed12d44 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,12 +4,10 @@ ARG UID=1000 ARG GID=1000 ARG USERNAME=checkov -RUN apk update && apk add --no-cache git util-linux bash openssl - -RUN pip install --no-cache-dir -U checkov -RUN wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh - -RUN addgroup -S -g ${GID} ${USERNAME} && \ +RUN apk update && apk add --no-cache git util-linux bash openssl && \ + pip install --no-cache-dir -U checkov && \ + wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh && \ + addgroup -S -g ${GID} ${USERNAME} && \ adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} COPY --chown=${USERNAME}:0 ./github_action_resources/entrypoint.sh /entrypoint.sh From 1c4969c39679bca6567569379e71942367c21582 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Mon, 16 Aug 2021 22:38:53 +0300 Subject: [PATCH 116/203] Reuse existing methods and fix UT --- checkov/cloudformation/graph_manager.py | 25 +++++++++++----------- tests/cloudformation/test_graph_manager.py | 18 +++++++++++----- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/checkov/cloudformation/graph_manager.py b/checkov/cloudformation/graph_manager.py index 84d072e29f..a3753348ab 100644 --- a/checkov/cloudformation/graph_manager.py +++ b/checkov/cloudformation/graph_manager.py @@ -4,6 +4,7 @@ from checkov.cloudformation.cfn_utils import get_folder_definitions from checkov.cloudformation.context_parser import ContextParser +from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph from checkov.cloudformation.parser.node import dict_node from checkov.common.graph.db_connectors.db_connector import DBConnector @@ -25,19 +26,17 @@ def build_graph_from_source_directory( ) -> Tuple[CloudformationLocalGraph, Dict[str, dict_node]]: logging.info("[CloudformationGraphManager] Parsing files in source dir {source_dir}") definitions, definitions_raw = get_folder_definitions(source_dir, excluded_paths) - if render_variables: - for cf_file in definitions: - cf_context_parser = ContextParser(cf_file, definitions[cf_file], definitions_raw[cf_file]) - logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(definitions[cf_file], indent=2, default=str)) - ) - cf_context_parser.evaluate_default_refs() - logging.info("[CloudformationGraphManager] Building graph from parsed definitions") - - local_graph = local_graph_class(definitions, source=self.source) - local_graph.build_graph(render_variables=render_variables) - - return local_graph, definitions + local_graph = self.build_graph_from_definitions(definitions, render_variables) + rendered_definitions, _ = convert_graph_vertices_to_definitions(local_graph.vertices, source_dir) + + # TODO: replace with real graph rendering + for cf_file in rendered_definitions.keys(): + cf_context_parser = ContextParser(cf_file, rendered_definitions[cf_file], definitions_raw[cf_file]) + logging.debug( + "Template Dump for {}: {}".format(cf_file, json.dumps(rendered_definitions[cf_file], indent=2, default=str)) + ) + cf_context_parser.evaluate_default_refs() + return local_graph, rendered_definitions def build_graph_from_definitions( self, definitions: Dict[str, dict_node], render_variables: bool = False diff --git a/tests/cloudformation/test_graph_manager.py b/tests/cloudformation/test_graph_manager.py index b85d75b717..bd4810ee18 100644 --- a/tests/cloudformation/test_graph_manager.py +++ b/tests/cloudformation/test_graph_manager.py @@ -56,12 +56,20 @@ def test_build_graph_from_source_directory_no_rendering(self): self.assertDictEqual({'Fn::Join': ['', [{'Ref': 'ResourceNamePrefix', '__startline__': 650, '__endline__': 652}, '-acmecws']], '__startline__': 646, '__endline__': 656}, sqs_queue_vertex.attributes["QueueName"]) def test_build_graph_from_source_directory_with_rendering(self): - root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "./runner/resources")) - graph_manager = CloudformationGraphManager(db_connector=NetworkxConnector()) - local_graph, definitions = graph_manager.build_graph_from_source_directory(root_dir, render_variables=True) + root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "./runner/resources")) + graph_manager = CloudformationGraphManager(db_connector=NetworkxConnector()) + local_graph, definitions = graph_manager.build_graph_from_source_directory(root_dir, render_variables=True) - sqs_queue_vertex = local_graph.vertices[local_graph.vertices_block_name_map[BlockType.RESOURCE]["AWS::SQS::Queue.acmeCWSQueue"][0]] - self.assertDictEqual({'Fn::Join': ['', ['acme', '-acmecws']], '__startline__': 646, '__endline__': 656}, sqs_queue_vertex.attributes["QueueName"]) + sqs_queue_vertex = local_graph.vertices[local_graph.vertices_block_name_map[BlockType.RESOURCE]["AWS::SQS::Queue.acmeCWSQueue"][0]] + expected_node = {'Fn::Join': ['', ['acme', '-acmecws']], '__startline__': 646, '__endline__': 656} + self.assertDictEqual(expected_node, sqs_queue_vertex.config["QueueName"]) + found = False + for d in definitions: + if 'resources/success.json' in d: + found = True + node = definitions[d]['Resources']['acmeCWSQueue']['Properties']['QueueName'] + self.assertDictEqual(expected_node, node) + self.assertTrue(found, 'Did not find the wanted node, for acmeCWSQueue') def test_build_graph_from_definitions(self): relative_file_path = "./checks/resource/aws/example_APIGatewayXray/APIGatewayXray-PASSED.yaml" From 03f105ff59b1482fd12c574a2dd3528ef17388d2 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:27 +0300 Subject: [PATCH 117/203] Merge pull request #1497 from n2qz/bugfix/require-junit-xml-1-9 Requires junit-xml>=1.9, fixes #1495 --- docs/5.Policy Index/terraform.md | 594 +++++++++++++++---------------- 1 file changed, 297 insertions(+), 297 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 110c245816..c13ff39442 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,14 +201,14 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | @@ -218,11 +218,11 @@ nav_order: 1 | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | @@ -235,8 +235,8 @@ nav_order: 1 | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | @@ -391,22 +391,22 @@ nav_order: 1 | 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | @@ -414,16 +414,16 @@ nav_order: 1 | 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 503 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 55825ce8c5aa86cf9ef54c2ef06c9dd1b18687ae Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:15 +0300 Subject: [PATCH 118/203] Merge pull request #1499 from Homopatrol/master Update Dockerfile to run as a non-root user --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From a7018714033bb42dea72a946b8232ca75c49984d Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:27 +0300 Subject: [PATCH 119/203] Merge pull request #1497 from n2qz/bugfix/require-junit-xml-1-9 Requires junit-xml>=1.9, fixes #1495 --- docs/5.Policy Index/all.md | 618 ++++++++++++++++++------------------- 1 file changed, 309 insertions(+), 309 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 1f301f2645..29f801ebcd 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,45 +327,45 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -567,42 +567,42 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 868 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 671763a3ed44603912301d22eccacf087809758d Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:15 +0300 Subject: [PATCH 120/203] Merge pull request #1499 from Homopatrol/master Update Dockerfile to run as a non-root user --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 3b78e33c97384b5bdd5381985f4d80e711c03bc1 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Mon, 16 Aug 2021 17:52:27 +0300 Subject: [PATCH 121/203] Merge pull request #1497 from n2qz/bugfix/require-junit-xml-1-9 Requires junit-xml>=1.9, fixes #1495 --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index c4de1a27b6..9b7ff7cbc8 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.351' +version = '2.0.352' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index b75dcfa101..cddd40e78f 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.351 +checkov==2.0.352 From 0b6a21e6f8127abc4f7d31e91f59266c8e79dee1 Mon Sep 17 00:00:00 2001 From: kartikp10 Date: Mon, 16 Aug 2021 16:39:32 -0400 Subject: [PATCH 122/203] Add ability to use API key --- github_action_resources/entrypoint.sh | 41 +++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 2b473e344e..60668691d2 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -8,7 +8,7 @@ then exit $? fi -# Actions pass inputs as $INPUT_ environmet variables +# Actions pass inputs as $INPUT_ environment variables # [[ -n "$INPUT_CHECK" ]] && CHECK_FLAG="--check $INPUT_CHECK" [[ -n "$INPUT_SKIP_CHECK" ]] && SKIP_CHECK_FLAG="--skip-check $INPUT_SKIP_CHECK" @@ -60,9 +60,46 @@ if [ -n "$INPUT_SOFT_FAIL" ]; then fi echo "::add-matcher::checkov-problem-matcher.json" + +API_KEY=${API_KEY_VARIABLE} + +GIT_BRANCH=${GITHUB_HEAD_REF:=master} +export BC_FROM_BRANCH=${GIT_BRANCH} +export BC_TO_BRANCH=${GITHUB_BASE_REF} +export BC_PR_ID=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }') +export BC_PR_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/pull/${BC_PR_ID}" +export BC_COMMIT_HASH=${GITHUB_SHA} +export BC_COMMIT_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}" +export BC_AUTHOR_NAME=${GITHUB_ACTOR} +export BC_AUTHOR_URL="${GITHUB_SERVER_URL}/${BC_AUTHOR_NAME}" +export BC_RUN_ID=${GITHUB_RUN_NUMBER} +export BC_RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" +export BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" + +echo "BC_FROM_BRANCH=${GIT_BRANCH}" +echo "BC_TO_BRANCH=${GITHUB_BASE_REF}" +echo "BC_PR_ID=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')" +echo "BC_PR_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/pull/${BC_PR_ID}"" +echo "BC_COMMIT_HASH=${GITHUB_SHA}" +echo "BC_COMMIT_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/commit/${GITHUB_SHA}"" +echo "BC_AUTHOR_NAME=${GITHUB_ACTOR}" +echo "BC_AUTHOR_URL="${GITHUB_SERVER_URL}/${BC_AUTHOR_NAME}"" +echo "BC_RUN_ID=${GITHUB_RUN_NUMBER}" +echo "BC_RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"" +echo "BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"" + echo "running checkov on directory: $1" -checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $FRAMEWORK_FLAG $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $BASELINE_FLAG $CONFIG_FILE_FLAG + +if [ -n "$API_KEY_VARIABLE" ]; then + echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE" + checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE + else + echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE" + checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE +fi + CHECKOV_EXIT_CODE=$? + if [ -n "$INPUT_DOWNLOAD_EXTERNAL_MODULES" ] && [ "$INPUT_DOWNLOAD_EXTERNAL_MODULES" = "true" ]; then echo "Cleaning up $INPUT_DIRECTORY/.external_modules directory" #This directory must be removed here for the self hosted github runners run as non-root user. From 46a44e1bb50c356449a8d41e813446b90c15d0d7 Mon Sep 17 00:00:00 2001 From: kartikp10 Date: Mon, 16 Aug 2021 17:25:49 -0400 Subject: [PATCH 123/203] Add hard_fail_on, soft_fail_on args --- github_action_resources/entrypoint.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 60668691d2..da632f9e15 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -16,6 +16,9 @@ fi [[ -n "$INPUT_OUTPUT_FORMAT" ]] && OUTPUT_FLAG="--output $INPUT_OUTPUT_FORMAT" [[ -n "$INPUT_BASELINE" ]] && BASELINE_FLAG="--baseline $INPUT_BASELINE" [[ -n "$INPUT_CONFIG_FILE" ]] && CONFIG_FILE_FLAG="--config-file $INPUT_CONFIG_FILE" +[[ -n "$INPUT_SOFT_FAIL_ON" ]] && SOFT_FAIL_ON_FLAG="--soft-fail-on $INPUT_SOFT_FAIL_ON" +[[ -n "$INPUT_HARD_FAIL_ON" ]] && HARD_FAIL_ON_FLAG="--hard-fail-on $INPUT_HARD_FAIL_ON" + if [ -n "$INPUT_QUIET" ] && [ "$INPUT_QUIET" = "true" ]; then QUIET_FLAG="--quiet" @@ -91,11 +94,11 @@ echo "BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"" echo "running checkov on directory: $1" if [ -n "$API_KEY_VARIABLE" ]; then - echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE" - checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE + echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG else - echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE" - checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE + echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG fi CHECKOV_EXIT_CODE=$? From 44f4d3af0f6cce927e86babead1156fb53cd512f Mon Sep 17 00:00:00 2001 From: kartikp10 Date: Mon, 16 Aug 2021 17:27:13 -0400 Subject: [PATCH 124/203] Fix config file flag --- github_action_resources/entrypoint.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index da632f9e15..23afac4537 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -94,11 +94,11 @@ echo "BC_REPOSITORY_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"" echo "running checkov on directory: $1" if [ -n "$API_KEY_VARIABLE" ]; then - echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" - checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG + echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG else - echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" - checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $INPUT_CONFIG_FILE $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG + echo "checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG" + checkov -d $INPUT_DIRECTORY $CHECK_FLAG $SKIP_CHECK_FLAG $QUIET_FLAG $EXTERNAL_CHECKS_DIR_FLAG $OUTPUT_FLAG $SOFT_FAIL_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG fi CHECKOV_EXIT_CODE=$? From 390c4d10c397c778c0d029d90e0df606613915c2 Mon Sep 17 00:00:00 2001 From: kartikp10 Date: Mon, 16 Aug 2021 18:09:01 -0400 Subject: [PATCH 125/203] Update problem matcher logic --- github_action_resources/entrypoint.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 23afac4537..e05eb27c32 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -8,6 +8,13 @@ then exit $? fi +matcher_path=`pwd`/checkov-problem-matcher.json +warning_matcher_path=`pwd`/checkov-problem-matcher-softfail.json +cp /usr/local/lib/checkov-problem-matcher.json "$matcher_path" +cp /usr/local/lib/checkov-problem-matcher-softfail.json "$warning_matcher_path" + +export BC_SOURCE=githubActions + # Actions pass inputs as $INPUT_ environment variables # [[ -n "$INPUT_CHECK" ]] && CHECK_FLAG="--check $INPUT_CHECK" @@ -54,16 +61,12 @@ if [ -n "$INPUT_EXTERNAL_CHECKS_REPOS" ]; then done fi -echo "input_soft_fail:$INPUT_SOFT_FAIL" -matcher_path=$(pwd)/checkov-problem-matcher.json -if [ -n "$INPUT_SOFT_FAIL" ]; then - cp /usr/local/lib/checkov-problem-matcher.json "$matcher_path" +if [ ! -z "$INPUT_SOFT_FAIL" ]; then + echo "::add-matcher::bridgecrew-problem-matcher.json" else - cp /usr/local/lib/checkov-problem-matcher-softfail.json "$matcher_path" + echo "::add-matcher::bridgecrew-problem-matcher-warning.json" fi -echo "::add-matcher::checkov-problem-matcher.json" - API_KEY=${API_KEY_VARIABLE} GIT_BRANCH=${GITHUB_HEAD_REF:=master} From 1f33de1be1481a24d216059a836e384086ab60fd Mon Sep 17 00:00:00 2001 From: kartikp10 Date: Mon, 16 Aug 2021 18:11:15 -0400 Subject: [PATCH 126/203] Fix typo --- github_action_resources/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index e05eb27c32..65e3532a79 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -62,9 +62,9 @@ if [ -n "$INPUT_EXTERNAL_CHECKS_REPOS" ]; then fi if [ ! -z "$INPUT_SOFT_FAIL" ]; then - echo "::add-matcher::bridgecrew-problem-matcher.json" + echo "::add-matcher::checkov-problem-matcher.json" else - echo "::add-matcher::bridgecrew-problem-matcher-warning.json" + echo "::add-matcher::checkov-problem-matcher-softfail.json" fi API_KEY=${API_KEY_VARIABLE} From d581fc7811f946767c4727297224e1354b31e492 Mon Sep 17 00:00:00 2001 From: GitHub Action Date: Mon, 16 Aug 2021 22:15:19 +0000 Subject: [PATCH 127/203] update pipenv packages --- Pipfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 4e5d5b33a4..ea147a40df 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -312,11 +312,11 @@ }, "policyuniverse": { "hashes": [ - "sha256:40ba6f9b8da755d3d7a5ccddcd5e095704f89deb86058dc43cdbb9c09140878a", - "sha256:f61552c1eb6d31f437ca6de7d74ba84f0d9772d9d8c61ceb4f49529a90693f97" + "sha256:1d5136329b4c4d33b114f8c781ebb2e306ff9dc6969d106ece2567e312b2dd15", + "sha256:a95adcecd8c5b6aafedbf0094217f9251589a5a350b3db54aa55b6cabc26a7ff" ], "index": "pypi", - "version": "==1.4.0.20210730" + "version": "==1.4.0.20210816" }, "pyparsing": { "hashes": [ From f96673db8d480f32e8425cc0923ca1756ded0831 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 128/203] Skip api key tests for PR tests --- .github/workflows/pr-test.yml | 2 +- integration_tests/test_checkov_cli_integration_report.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml index 61bcd13dcf..20e9969a14 100644 --- a/.github/workflows/pr-test.yml +++ b/.github/workflows/pr-test.yml @@ -78,4 +78,4 @@ jobs: ./integration_tests/prepare_data.sh 3.8 # Just making sure the API key tests don't run on PRs - name: Run integration tests run: | - pipenv run pytest integration_tests + pipenv run pytest integration_tests -k 'not api_key' diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py index 70ca207e7c..12d5936492 100644 --- a/integration_tests/test_checkov_cli_integration_report.py +++ b/integration_tests/test_checkov_cli_integration_report.py @@ -7,11 +7,11 @@ class TestCheckovJsonReport(unittest.TestCase): - def test_terragoat_report_dir(self): + def test_terragoat_report_dir_api_key(self): report_path = current_dir + "/../checkov_report_azuredir_api_key_terragoat.txt" self.validate_report(os.path.abspath(report_path)) - def test_terragoat_report_file(self): + def test_terragoat_report_file_api_key(self): report_path = current_dir + "/../checkov_report_s3_singlefile_api_key_terragoat.txt" self.validate_report(os.path.abspath(report_path)) From 769ecd8552536f7e46c3ca5aab0c3ee0f78755b4 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 129/203] Skip api key tests for PR tests --- docs/5.Policy Index/terraform.md | 620 +++++++++++++++---------------- 1 file changed, 310 insertions(+), 310 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index c13ff39442..a4dede7c5b 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -207,26 +207,26 @@ nav_order: 1 | 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -235,11 +235,11 @@ nav_order: 1 | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,44 +388,44 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 503 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From b0ead07c359893c6287d9d785a34f35d38f98f08 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 09:02:18 +0300 Subject: [PATCH 130/203] Merge pull request #1504 from bridgecrewio/docker-updates Update entrypoint.sh for API key support and new args. --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 4f8d5389ce135e67d7232e9c49de12899aab3bae Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 131/203] Skip api key tests for PR tests --- docs/5.Policy Index/all.md | 614 ++++++++++++++++++------------------- 1 file changed, 307 insertions(+), 307 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 29f801ebcd..3bc14d1763 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,28 +327,28 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | @@ -356,16 +356,16 @@ nav_order: 1 | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -567,17 +567,17 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -588,24 +588,24 @@ nav_order: 1 | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,277 +698,277 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 827 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 828 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From f348ee8c94c660f22efed10c2941d92c3b0f2795 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 09:02:18 +0300 Subject: [PATCH 132/203] Merge pull request #1504 from bridgecrewio/docker-updates Update entrypoint.sh for API key support and new args. --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 27bc0f97f7c4307e5ee5edb08d6108472569cb29 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 133/203] Skip api key tests for PR tests --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 9b7ff7cbc8..c2a627be3d 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.352' +version = '2.0.353' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index cddd40e78f..6e6a4bd74c 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.352 +checkov==2.0.353 From 58af237a0d1355b0be84c225d8d8768a51bdd358 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 09:02:18 +0300 Subject: [PATCH 134/203] Merge pull request #1504 from bridgecrewio/docker-updates Update entrypoint.sh for API key support and new args. --- docs/5.Policy Index/terraform.md | 604 +++++++++++++++---------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index a4dede7c5b..46e3adbca5 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,10 +201,10 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | @@ -212,8 +212,8 @@ nav_order: 1 | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -223,20 +223,20 @@ nav_order: 1 | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -388,45 +388,45 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 503 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From b8d2bbb3ae15b2ddc889ca118a3566483e3a4be9 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 135/203] Skip api key tests for PR tests --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From ea1774ed44012069e772f46093f40928cba73b94 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 09:02:18 +0300 Subject: [PATCH 136/203] Merge pull request #1504 from bridgecrewio/docker-updates Update entrypoint.sh for API key support and new args. --- docs/5.Policy Index/all.md | 590 ++++++++++++++++++------------------- 1 file changed, 295 insertions(+), 295 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 3bc14d1763..155215b59e 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -331,31 +331,31 @@ nav_order: 1 | 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | @@ -364,8 +364,8 @@ nav_order: 1 | 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -584,8 +584,8 @@ nav_order: 1 | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | @@ -595,17 +595,17 @@ nav_order: 1 | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,276 +698,276 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 690 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | From ddea3f8bd633fc861131d7fffcb8ca6c0c95f3aa Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 08:52:00 +0300 Subject: [PATCH 137/203] Skip api key tests for PR tests --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From ca2673633080910d69ae5a6c8133eefdaeb36787 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 09:02:18 +0300 Subject: [PATCH 138/203] Merge pull request #1504 from bridgecrewio/docker-updates Update entrypoint.sh for API key support and new args. --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index c2a627be3d..f3c308d0e9 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.353' +version = '2.0.354' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 6e6a4bd74c..6e93937194 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.353 +checkov==2.0.354 From 795c3e65b822e9adb391e8ff5b6b5ee0cba914b8 Mon Sep 17 00:00:00 2001 From: nimrodkor Date: Tue, 17 Aug 2021 09:58:19 +0300 Subject: [PATCH 139/203] Revert deletion of CFTS --- .../graph_builder/graph_components/block_types.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 9333c810eb..1242fa6c56 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -13,3 +13,14 @@ class BlockType(CommonBlockType): CONDITION = "conditions" TRANSFORM = "transform" OUTPUT = "outputs" + + +class CloudformationTemplateSections(str, Enum): + RESOURCES = "Resources" + METADATA = "Metadata" + PARAMETERS = "Parameters" + RULES = "Rules" + MAPPINGS = "Mappings" + CONDITIONS = "Conditions" + TRANSFORM = "Transform" + OUTPUTS = "Outputs" From 5bf2b4a6a9ed8e1697f9d3739cf57e555092761b Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:41:29 +0300 Subject: [PATCH 140/203] Revert "Update Dockerfile to run as a non-root user " --- Dockerfile | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index eca10fff98..e39ad6592a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,13 @@ FROM python:3.7-alpine -ARG UID=1000 -ARG GID=1000 -ARG USERNAME=checkov - RUN apk update && apk add --no-cache git util-linux bash openssl RUN pip install --no-cache-dir -U checkov RUN wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh -RUN addgroup -S -g ${GID} ${USERNAME} && \ - adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} - -COPY --chown=${USERNAME}:0 ./github_action_resources/entrypoint.sh /entrypoint.sh -COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json -COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json - -USER ${UID} +COPY ./github_action_resources/entrypoint.sh /entrypoint.sh +COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json +COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json # Code file to execute when the docker container starts up (`entrypoint.sh`) ENTRYPOINT ["/entrypoint.sh"] From c125ec61c4f0d5ca1a9866fb32b124f94b411f09 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:56:33 +0300 Subject: [PATCH 141/203] Merge pull request #1507 from bridgecrewio/revert-1499-master Revert "Update Dockerfile to run as a non-root user " --- docs/5.Policy Index/terraform.md | 584 +++++++++++++++---------------- 1 file changed, 292 insertions(+), 292 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 46e3adbca5..c0bcab71f5 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,37 +201,37 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -399,11 +399,11 @@ nav_order: 1 | 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | @@ -421,12 +421,12 @@ nav_order: 1 | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,274 +511,274 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 758 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 759 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | From bd1a4cade5f5e0563331a3fac58f314f078c401b Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:56:33 +0300 Subject: [PATCH 142/203] Merge pull request #1507 from bridgecrewio/revert-1499-master Revert "Update Dockerfile to run as a non-root user " --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 51b8f638424be9dae495166e0c681af0c92e2f03 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:56:33 +0300 Subject: [PATCH 143/203] Merge pull request #1507 from bridgecrewio/revert-1499-master Revert "Update Dockerfile to run as a non-root user " --- docs/5.Policy Index/all.md | 592 ++++++++++++++++++------------------- 1 file changed, 296 insertions(+), 296 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 155215b59e..8ccd908e67 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,15 +329,15 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -349,15 +349,15 @@ nav_order: 1 | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -569,29 +569,29 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | @@ -601,11 +601,11 @@ nav_order: 1 | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 763 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 833 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 932 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 933 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From eab72106dfb87b4a255b794439b07ee516890be4 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:56:33 +0300 Subject: [PATCH 144/203] Merge pull request #1507 from bridgecrewio/revert-1499-master Revert "Update Dockerfile to run as a non-root user " --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From c4e8ed90e6284b7bbbd4495e22363dacb3bd64e4 Mon Sep 17 00:00:00 2001 From: Nimrod Kor Date: Tue, 17 Aug 2021 10:56:33 +0300 Subject: [PATCH 145/203] Merge pull request #1507 from bridgecrewio/revert-1499-master Revert "Update Dockerfile to run as a non-root user " --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index f3c308d0e9..e8a582f728 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.354' +version = '2.0.355' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 6e93937194..8413b65b37 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.354 +checkov==2.0.355 From fc384b95dc31cd7d2971f23735e0b34d2ff334fb Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 11:13:23 +0300 Subject: [PATCH 146/203] changed a few enms to dataclasses --- .../graph_builder/local_graph.py | 28 +++++++++---------- checkov/cloudformation/parser/cfn_keywords.py | 12 +++++--- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 6505c7c32d..337028839a 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -17,9 +17,9 @@ class CloudformationLocalGraph(LocalGraph): - SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS = (ResourceAttributes.DEPENDS_ON.value, IntrinsicFunctions.CONDITION.value) - SUPPORTED_FN_CONNECTION_KEYS = (IntrinsicFunctions.GET_ATT.value, ConditionFunctions.IF.value, - IntrinsicFunctions.REF.value, IntrinsicFunctions.FIND_IN_MAP.value) + SUPPORTED_RESOURCE_ATTR_CONNECTION_KEYS = (ResourceAttributes.DEPENDS_ON, IntrinsicFunctions.CONDITION) + SUPPORTED_FN_CONNECTION_KEYS = (IntrinsicFunctions.GET_ATT, ConditionFunctions.IF, + IntrinsicFunctions.REF, IntrinsicFunctions.FIND_IN_MAP) def __init__(self, cfn_definitions: Dict[str, dict_node], source: str = "CloudFormation") -> None: super().__init__() @@ -31,10 +31,10 @@ def __init__(self, cfn_definitions: Dict[str, dict_node], source: str = "CloudFo self._templates = {file_path: Template(file_path, definition) for file_path, definition in self.definitions.items()} self._connection_key_func = { - IntrinsicFunctions.GET_ATT.value: self._fetch_getatt_target_id, - ConditionFunctions.IF.value: self._fetch_if_target_id, - IntrinsicFunctions.REF.value: self._fetch_ref_target_id, - IntrinsicFunctions.FIND_IN_MAP.value: self._fetch_findinmap_target_id + IntrinsicFunctions.GET_ATT: self._fetch_getatt_target_id, + ConditionFunctions.IF: self._fetch_if_target_id, + IntrinsicFunctions.REF: self._fetch_ref_target_id, + IntrinsicFunctions.FIND_IN_MAP: self._fetch_findinmap_target_id } def build_graph(self, render_variables: bool) -> None: @@ -182,7 +182,7 @@ def _fetch_findinmap_target_id(self, template, value) -> int: def _add_fn_sub_connections(self): for file_path, template in self._templates.items(): # add edges for "Fn::Sub" tags. E.g. { "Fn::Sub": "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${vpc}" } - sub_objs = template.search_deep_keys(IntrinsicFunctions.SUB.value) + sub_objs = template.search_deep_keys(IntrinsicFunctions.SUB) for sub_obj in sub_objs: sub_parameters = [] sub_parameter_values = {} @@ -223,12 +223,12 @@ def _find_fn_sub_parameter(string): return regex.findall(string) def _create_edges(self) -> None: - self._add_resource_attr_connections(ResourceAttributes.DEPENDS_ON.value) - self._add_resource_attr_connections(IntrinsicFunctions.CONDITION.value) - self._add_fn_connections(IntrinsicFunctions.GET_ATT.value) - self._add_fn_connections(ConditionFunctions.IF.value) - self._add_fn_connections(IntrinsicFunctions.REF.value) - self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP.value) + self._add_resource_attr_connections(ResourceAttributes.DEPENDS_ON) + self._add_resource_attr_connections(IntrinsicFunctions.CONDITION) + self._add_fn_connections(IntrinsicFunctions.GET_ATT) + self._add_fn_connections(ConditionFunctions.IF) + self._add_fn_connections(IntrinsicFunctions.REF) + self._add_fn_connections(IntrinsicFunctions.FIND_IN_MAP) self._add_fn_sub_connections() def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: str) -> None: diff --git a/checkov/cloudformation/parser/cfn_keywords.py b/checkov/cloudformation/parser/cfn_keywords.py index 7dac8fe097..b891162901 100644 --- a/checkov/cloudformation/parser/cfn_keywords.py +++ b/checkov/cloudformation/parser/cfn_keywords.py @@ -1,7 +1,9 @@ +from dataclasses import dataclass from enum import Enum -class IntrinsicFunctions(str, Enum): +@dataclass +class IntrinsicFunctions: BASE64 = "Fn::Base64" CIDR = "Fn::Cidr" FIND_IN_MAP = "Fn::FindInMap" @@ -17,7 +19,8 @@ class IntrinsicFunctions(str, Enum): CONDITION = "Condition" -class ConditionFunctions(str, Enum): +@dataclass +class ConditionFunctions: AND = "Fn::And" EQUALS = "Fn::Equals" IF = "Fn::If" @@ -25,7 +28,8 @@ class ConditionFunctions(str, Enum): OR = "Fn::Or" -class ResourceAttributes(str, Enum): +@dataclass +class ResourceAttributes: CREATION_POLICY = "CreationPolicy" DELETION_POLICY = "DeletionPolicy" DEPENDS_ON = "DependsOn" @@ -42,4 +46,4 @@ class TemplateSections(str, Enum): MAPPINGS = "Mappings" CONDITIONS = "Conditions" TRANSFORM = "Transform" - OUTPUTS = "Outputs" \ No newline at end of file + OUTPUTS = "Outputs" From dba2bba450e849e1f0e1f507c4052cf514521189 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 11:28:37 +0300 Subject: [PATCH 147/203] changed dpath to dict unwrapping --- .../cloudformation/graph_builder/local_graph.py | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 337028839a..9d44642b8c 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -3,7 +3,6 @@ from inspect import ismethod from typing import Dict, Any -import dpath.util import six from cfnlint.template import Template @@ -98,10 +97,8 @@ def _add_resource_attr_connections(self, attribute): if vertex.block_type == BlockType.RESOURCE: vertex_path = vertex.path vertex_name = vertex.name.split('.')[-1] - vertex_definition = dpath.get(self.definitions, - [vertex_path, TemplateSections.RESOURCES.value, - vertex_name]) - target_ids = vertex_definition.get(attribute) + target_ids = self.definitions.get(vertex_path, {})\ + .get(TemplateSections.RESOURCES.value, {}).get(vertex_name, {}).get(attribute, None) if isinstance(target_ids, (list, six.string_types)): if isinstance(target_ids, (six.string_types)): target_ids = [target_ids] @@ -208,11 +205,8 @@ def _add_fn_sub_connections(self): self._create_edge(origin_vertex_index, dest_vertex_index, label) def _extract_origin_dest_label(self, file_path, source_id, target_id, attributes): - origin_vertex_index, dest_vertex_index = None, None - if dpath.search(self._vertices_indexes, [file_path, source_id]): - origin_vertex_index = dpath.get(self._vertices_indexes, [file_path, source_id]) - if dpath.search(self._vertices_indexes, [file_path, target_id]): - dest_vertex_index = dpath.get(self._vertices_indexes, [file_path, target_id]) + origin_vertex_index = self._vertices_indexes.get(file_path, {}).get(source_id, None) + dest_vertex_index = self._vertices_indexes.get(file_path, {}).get(target_id, None) attributes_joined = '.'.join(map(str, attributes)) # mapping all attributes to str because one of the attrs might be an int return origin_vertex_index, dest_vertex_index, attributes_joined From d523065dbd7e76ed8c7be11303d5ac64c176d7cb Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 12:06:15 +0300 Subject: [PATCH 148/203] fixed pr rejects --- .../graph_builder/local_graph.py | 54 ++++++++++--------- checkov/cloudformation/parser/__init__.py | 4 +- checkov/cloudformation/runner.py | 2 +- 3 files changed, 31 insertions(+), 29 deletions(-) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 9d44642b8c..ce12f41226 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -1,10 +1,7 @@ import logging import re from inspect import ismethod -from typing import Dict, Any - -import six -from cfnlint.template import Template +from typing import Dict, Any, Optional from checkov.cloudformation.graph_builder.graph_components.block_types import BlockType from checkov.cloudformation.graph_builder.graph_components.blocks import CloudformationBlock @@ -13,6 +10,7 @@ from checkov.cloudformation.parser.node import dict_node from checkov.common.graph.graph_builder import Edge from checkov.common.graph.graph_builder.local_graph import LocalGraph +from cfnlint.template import Template class CloudformationLocalGraph(LocalGraph): @@ -99,18 +97,23 @@ def _add_resource_attr_connections(self, attribute): vertex_name = vertex.name.split('.')[-1] target_ids = self.definitions.get(vertex_path, {})\ .get(TemplateSections.RESOURCES.value, {}).get(vertex_name, {}).get(attribute, None) - if isinstance(target_ids, (list, six.string_types)): - if isinstance(target_ids, (six.string_types)): - target_ids = [target_ids] + target_ids = [target_ids] if isinstance(target_ids, str) else target_ids + if isinstance(target_ids, list): for target_id in target_ids: - if isinstance(target_id, six.string_types): + if isinstance(target_id, str): dest_vertex_index = self._vertices_indexes[vertex_path][target_id] self._create_edge(origin_node_index, dest_vertex_index, label=attribute) + else: + logging.info(f"[CloudformationLocalGraph] didnt create edge for target_id {target_id}" + f"and vertex_path {vertex_path} as target_id is not a string") + else: + logging.info(f"[CloudformationLocalGraph] didnt create edge for target_ids {target_ids}" + f"and vertex_path {vertex_path} as target_ids is not a list") def _extract_source_value_attrs(self, matching_path): - # matching_path for Resource = [template_section, source_id, 'Properties', ... , key, value] - # matching_path otherwise = # matching_path for Resource = [template_section, source_id, ... , key, value] - # key = Ref, GetAtt, etc... + """ matching_path for Resource = [template_section, source_id, 'Properties', ... , key, value] + matching_path otherwise = # matching_path for Resource = [template_section, source_id, ... , key, value] + key = a member of SUPPORTED_FN_CONNECTION_KEYS """ template_section = matching_path[0] source_id = matching_path[1] value = matching_path[-1] @@ -133,18 +136,17 @@ def _add_fn_connections(self, key) -> None: if target_id: origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( file_path, source_id, target_id, attributes) - if origin_vertex_index is None or dest_vertex_index is None: - continue - self._create_edge(origin_vertex_index, dest_vertex_index, label) + if origin_vertex_index is not None and dest_vertex_index is not None: + self._create_edge(origin_vertex_index, dest_vertex_index, label) - def _fetch_if_target_id(self, template, value) -> int: + def _fetch_if_target_id(self, template, value) -> Optional[int]: target_id = None # value = [condition_name, value_if_true, value_if_false] if isinstance(value, list) and len(value) == 3 and (self._is_condition(template, value[0])): target_id = value[0] return target_id - def _fetch_getatt_target_id(self, template, value) -> int: + def _fetch_getatt_target_id(self, template, value) -> Optional[int]: """ might be one of the 2 following notations: 1st: { "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] } 2nd: { "!GetAtt" : "logicalNameOfResource.attributeName" } """ @@ -155,21 +157,22 @@ def _fetch_getatt_target_id(self, template, value) -> int: target_id = value[0] # !GetAtt notation - if isinstance(value, (six.string_types, six.text_type)) and '.' in value: - if self._is_resource(template, value.split('.')[0]): - target_id = value.split('.')[0] + if isinstance(value, str) and '.' in value: + resource_id = value.split('.')[0] + if self._is_resource(template, resource_id): + target_id = resource_id return target_id - def _fetch_ref_target_id(self, template, value) -> int: + def _fetch_ref_target_id(self, template, value) -> Optional[int]: target_id = None # value might be a string or a list of strings - if isinstance(value, (six.text_type, six.string_types, int)) \ + if isinstance(value, (str, int)) \ and ((self._is_resource(template, value)) or (self._is_parameter(template, value))): target_id = value return target_id - def _fetch_findinmap_target_id(self, template, value) -> int: + def _fetch_findinmap_target_id(self, template, value) -> Optional[int]: target_id = None # value = [ MapName, TopLevelKey, SecondLevelKey ] if isinstance(value, list) and len(value) == 3 and (self._is_mapping(template, value[0])): @@ -191,7 +194,7 @@ def _add_fn_sub_connections(self): if len(value) == 2: sub_parameter_values = value[1] sub_parameters = self._find_fn_sub_parameter(value[0]) - elif isinstance(value, (six.text_type, six.string_types)): + elif isinstance(value, str): sub_parameters = self._find_fn_sub_parameter(value) for sub_parameter in sub_parameters: @@ -200,9 +203,8 @@ def _add_fn_sub_connections(self): sub_parameter = sub_parameter.split('.')[0] origin_vertex_index, dest_vertex_index, label = self._extract_origin_dest_label( file_path, source_id, sub_parameter, attributes) - if origin_vertex_index is None or dest_vertex_index is None: - continue - self._create_edge(origin_vertex_index, dest_vertex_index, label) + if origin_vertex_index is not None and dest_vertex_index is not None: + self._create_edge(origin_vertex_index, dest_vertex_index, label) def _extract_origin_dest_label(self, file_path, source_id, target_id, attributes): origin_vertex_index = self._vertices_indexes.get(file_path, {}).get(source_id, None) diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index 0c2227edab..57e07179ac 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -48,7 +48,7 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple resources = template.get(TemplateSections.RESOURCES.value, None) if resources: if '__startline__' in resources: - resources.pop('__startline__') + del resources['__startline__'] if '__endline__' in resources: - resources.pop('__endline__') + del resources['__endline__'] return template, template_lines diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index 5306ff4aed..f51800a6de 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -7,7 +7,7 @@ from checkov.cloudformation.cfn_utils import create_definitions, build_definitions_context from checkov.cloudformation.checks.resource.registry import cfn_registry from checkov.cloudformation.context_parser import ContextParser -from checkov.cloudformation.parser import TemplateSections +from checkov.cloudformation.parser.cfn_keywords import TemplateSections from checkov.cloudformation.graph_builder.graph_to_definitions import convert_graph_vertices_to_definitions from checkov.cloudformation.graph_builder.local_graph import CloudformationLocalGraph from checkov.cloudformation.graph_manager import CloudformationGraphManager From 0f473dd2600d8158329a32ecdd8fdc2848c37b07 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 149/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- .../terraform/graph_builder/local_graph.py | 66 ++++++++++++------- .../terraform/variable_rendering/renderer.py | 3 +- 2 files changed, 43 insertions(+), 26 deletions(-) diff --git a/checkov/terraform/graph_builder/local_graph.py b/checkov/terraform/graph_builder/local_graph.py index 5425c7c784..7812e50645 100644 --- a/checkov/terraform/graph_builder/local_graph.py +++ b/checkov/terraform/graph_builder/local_graph.py @@ -1,5 +1,6 @@ import logging import os +from collections import defaultdict from copy import deepcopy from pathlib import Path from typing import List, Optional, Union, Any, Dict, Set, Callable @@ -41,18 +42,20 @@ def __init__(self, module: Module, module_dependency_map: Dict[str, List[List[st self.module_dependency_map = module_dependency_map self.map_path_to_module: Dict[str, List[int]] = {} self.relative_paths_cache = {} + self.abspath_cache: Dict[str, str] = {} + self.dirname_cache: Dict[str, str] = {} + self.vertices_by_module_dependency_by_name: Dict[str, Dict[BlockType, Dict[str, List[int]]]] = defaultdict(lambda: defaultdict(lambda: defaultdict(list))) + self.vertices_by_module_dependency: Dict[str, Dict[BlockType, List[int]]] = defaultdict(lambda: defaultdict(list)) def build_graph(self, render_variables: bool) -> None: self._create_vertices() - undetermined_values = self._set_variables_values_from_modules() self._build_edges() self.calculate_encryption_attribute() if render_variables: - logging.info("Rendering variables") + logging.info(f"Rendering variables, graph has {len(self.vertices)} vertices and {len(self.edges)} edges") renderer = VariableRenderer(self) renderer.render_variables_from_local_graph() self.update_vertices_breadcrumbs_and_module_connections() - self.process_undetermined_values(undetermined_values) def _create_vertices(self) -> None: logging.info("Creating vertices") @@ -67,6 +70,9 @@ def _create_vertices(self) -> None: # map between file paths and module vertices indexes from that file self.map_path_to_module.setdefault(block.path, []).append(i) + self.vertices_by_module_dependency[block.module_dependency][block.block_type].append(i) + self.vertices_by_module_dependency_by_name[block.module_dependency][block.block_type][block.name].append(i) + self.in_edges[i] = [] self.out_edges[i] = [] @@ -148,14 +154,14 @@ def get_module_vertices_mapping(self) -> None: module_list = self.map_path_to_module.get(path_to_module_str, []) for module_index in module_list: module_vertex = self.vertices[module_index] - module_vertex_dir = os.path.dirname(module_vertex.path) + module_vertex_dir = self.get_dirname(module_vertex.path) module_source = module_vertex.attributes.get("source", [""])[0] if self._get_dest_module_path(module_vertex_dir, module_source) == dir_name: block_dirs_to_modules.setdefault(dir_name, set()).add(module_index) for vertex in self.vertices: # match the right module vertex according to the vertex path directory - module_indices = block_dirs_to_modules.get(os.path.dirname(vertex.path), set()) + module_indices = block_dirs_to_modules.get(self.get_dirname(vertex.path), set()) if module_indices: vertex.source_module = module_indices @@ -211,13 +217,9 @@ def _build_edges(self) -> None: target_path = vertex.path if vertex.module_dependency != "": target_path = unify_dependency_path([vertex.module_dependency, vertex.path]) - dest_module_path = self._get_dest_module_path(os.path.dirname(vertex.path), vertex.attributes['source'][0]) - target_variables = [ - index - for index in self.vertices_by_block_type.get(BlockType.VARIABLE, []) - if self.vertices[index].module_dependency == target_path - and os.path.dirname(self.vertices[index].path) == dest_module_path - ] + dest_module_path = self._get_dest_module_path(self.get_dirname(vertex.path), vertex.attributes['source'][0]) + target_variables = list(filter(lambda index: self.get_dirname(self.vertices[index].path) == dest_module_path, + self.vertices_by_module_dependency.get(target_path, {}).get(BlockType.VARIABLE, []))) for attribute, value in vertex.attributes.items(): if attribute in MODULE_RESERVED_ATTRIBUTES: continue @@ -226,11 +228,9 @@ def _build_edges(self) -> None: self._create_edge(target_variable, origin_node_index, "default") elif vertex.block_type == BlockType.TF_VARIABLE: # Assuming the tfvars file is in the same directory as the variables file (best practice) - target_variables = [ - index - for index in self.vertices_block_name_map.get(BlockType.VARIABLE, {}).get(vertex.name, []) - if os.path.dirname(self.vertices[index].path) == os.path.dirname(vertex.path) - ] + target_variables = list( + filter(lambda index: self.get_dirname(self.vertices[index].path) == self.get_dirname(vertex.path), + self.vertices_block_name_map.get(BlockType.VARIABLE, {}).get(vertex.name, []))) if len(target_variables) == 1: self._create_edge(target_variables[0], origin_node_index, "default") @@ -255,7 +255,7 @@ def _connect_module( The function receives a node of a block of type BlockType.Module, and finds all the nodes of blocks that belong to this module, and creates edges between them. """ - curr_module_dir = os.path.dirname(module_node.path) + curr_module_dir = self.get_dirname(module_node.path) dest_module_source = module_node.attributes["source"][0] dest_module_path = self._get_dest_module_path(curr_module_dir, dest_module_source) @@ -266,10 +266,10 @@ def _connect_module( ) for vertex_index in output_blocks_with_name: vertex = self.vertices[vertex_index] - if (os.path.dirname(vertex.path) == dest_module_path) and ( + if (self.get_dirname(vertex.path) == dest_module_path) and ( vertex.module_dependency == module_node.module_dependency # The vertex is in the same file - or os.path.abspath(vertex.module_dependency) - == os.path.abspath(module_node.path) # The vertex is in the correct dependency path + or self.get_abspath(vertex.module_dependency) + == self.get_abspath(module_node.path) # The vertex is in the correct dependency path ): self._create_edge(origin_node_index, vertex_index, attribute_key) self.vertices[origin_node_index].add_module_connection(attribute_key, vertex_index) @@ -301,15 +301,17 @@ def _find_vertex_index_relative_to_path( self, block_type: BlockType, name: str, block_path: str, module_path: str ) -> int: relative_vertices = [] - possible_vertices = self.vertices_block_name_map.get(block_type, {}).get(name, []) + possible_vertices = self.vertices_by_module_dependency_by_name.get(module_path, {}).get(block_type, {}).get(name, []) for vertex_index in possible_vertices: vertex = self.vertices[vertex_index] - if vertex.module_dependency == module_path and os.path.dirname(vertex.path) == os.path.dirname(block_path): + if self.get_dirname(vertex.path) == self.get_dirname(block_path): relative_vertices.append(vertex_index) if len(relative_vertices) == 1: - return relative_vertices[0] - return self._find_vertex_with_longest_path_match(relative_vertices, block_path) + relative_vertex = relative_vertices[0] + else: + relative_vertex = self._find_vertex_with_longest_path_match(relative_vertices, block_path) + return relative_vertex def _find_vertex_with_longest_path_match(self, relevant_vertices_indexes: List[int], origin_path: str) -> int: vertex_index_with_longest_common_prefix = -1 @@ -473,3 +475,17 @@ def calculate_encryption_attribute(self) -> None: EncryptionValues.ENCRYPTED.value if is_encrypted else EncryptionValues.UNENCRYPTED.value ) vertex.attributes[CustomAttributes.ENCRYPTION_DETAILS] = reason + + def get_dirname(self, path: str) -> str: + dir_name = self.dirname_cache.get(path) + if not dir_name: + dir_name = os.path.dirname(path) + self.dirname_cache[path] = dir_name + return dir_name + + def get_abspath(self, path: str) -> str: + dir_name = self.abspath_cache.get(path) + if not dir_name: + dir_name = os.path.abspath(path) + self.abspath_cache[path] = dir_name + return dir_name diff --git a/checkov/terraform/variable_rendering/renderer.py b/checkov/terraform/variable_rendering/renderer.py index 17ff311ad3..f68c5f55f2 100644 --- a/checkov/terraform/variable_rendering/renderer.py +++ b/checkov/terraform/variable_rendering/renderer.py @@ -27,7 +27,7 @@ class VariableRenderer: def __init__(self, local_graph: "TerraformLocalGraph") -> None: self.local_graph = local_graph - run_async = os.environ.get("RENDER_VARIABLES_ASYNC", "True") + run_async = os.environ.get("RENDER_VARIABLES_ASYNC", "False") self.run_async = True if run_async == "True" else False self.max_workers = int(os.environ.get("RENDER_ASYNC_MAX_WORKERS", 50)) self.done_edges_by_origin_vertex: Dict[int, List[Edge]] = {} @@ -87,6 +87,7 @@ def render_variables_from_local_graph(self) -> None: self.local_graph.update_vertices_configs() logging.info("done evaluating edges") self.evaluate_non_rendered_values() + logging.info("done evaluate_non_rendered_values") def _edge_evaluation_task(self, edges: List[List[Edge]]) -> List[Edge]: inner_edges = edges[0] From 0f6ac016c5a0f2edd52212c95777556f896996ef Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 150/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- docs/5.Policy Index/terraform.md | 616 +++++++++++++++---------------- 1 file changed, 308 insertions(+), 308 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index c0bcab71f5..476aa7aae0 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -205,38 +205,38 @@ nav_order: 1 | 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -388,19 +388,19 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | @@ -409,24 +409,24 @@ nav_order: 1 | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,276 +511,276 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 527 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 579 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | From b0cb9626fe92ddd8b5690d3f59a89d6f1392b874 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 151/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 18ec5bee40fea8bac4a647843ec79e58fdb0d574 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 152/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- docs/5.Policy Index/all.md | 604 ++++++++++++++++++------------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 8ccd908e67..5484825794 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,10 +327,10 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | @@ -338,8 +338,8 @@ nav_order: 1 | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -347,22 +347,22 @@ nav_order: 1 | 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -567,17 +567,17 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -588,8 +588,8 @@ nav_order: 1 | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | @@ -597,14 +597,14 @@ nav_order: 1 | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 950 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 5472e0adf79017a0244a2d63be6687268bd4f449 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 153/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From e93083ea9f0172fc93a113aa9cff5cd299c2a8ba Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Tue, 17 Aug 2021 12:24:06 +0300 Subject: [PATCH 154/203] Performance improvements in terraform graph creation (#1508) * backup commit * cleanup * Removed vertices_relative_to_path_cache * add `vertices_by_module_dependency_by_name` --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index e8a582f728..524c7b9cb8 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.355' +version = '2.0.356' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 8413b65b37..58bf410577 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.355 +checkov==2.0.356 From eb6bd65a68d1f6626e55f6ad98d7c89bf4b534db Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 13:16:23 +0300 Subject: [PATCH 155/203] Merge pull request #1498 from bridgecrewio/cfn_edges CFN Graph edges --- docs/5.Policy Index/terraform.md | 582 +++++++++++++++---------------- 1 file changed, 291 insertions(+), 291 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 476aa7aae0..fc26e3b790 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,8 +201,8 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | @@ -210,10 +210,10 @@ nav_order: 1 | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -223,8 +223,8 @@ nav_order: 1 | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | @@ -388,31 +388,31 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | @@ -422,10 +422,10 @@ nav_order: 1 | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 515 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 601 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 656 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 657 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 4ee90e71d05e50ba443fa63e3b08282eefe7bc11 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 13:16:23 +0300 Subject: [PATCH 156/203] Merge pull request #1498 from bridgecrewio/cfn_edges CFN Graph edges --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From ec535c14115faf7c3a55fabd22810151239995ea Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 13:16:23 +0300 Subject: [PATCH 157/203] Merge pull request #1498 from bridgecrewio/cfn_edges CFN Graph edges --- docs/5.Policy Index/all.md | 608 ++++++++++++++++++------------------- 1 file changed, 304 insertions(+), 304 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 5484825794..1f1adc296b 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,8 +327,8 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | @@ -336,36 +336,36 @@ nav_order: 1 | 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -567,36 +567,36 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | @@ -698,277 +698,277 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 731 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 951 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 3a2a4a561df66fce02a910920c9e21a7a78dbe2d Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 13:16:23 +0300 Subject: [PATCH 158/203] Merge pull request #1498 from bridgecrewio/cfn_edges CFN Graph edges --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 8cb33fd1fec472d2ffee1221ef5c9ab95fc1a2bc Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 13:16:23 +0300 Subject: [PATCH 159/203] Merge pull request #1498 from bridgecrewio/cfn_edges CFN Graph edges --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 524c7b9cb8..d3714be8f1 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.356' +version = '2.0.357' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 58bf410577..d678d41edd 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.356 +checkov==2.0.357 From f214cba367160f2584d5544759c40b43cb6b75bb Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:31:11 +0300 Subject: [PATCH 160/203] fix for template crashing --- checkov/cloudformation/graph_manager.py | 13 ++++++++----- checkov/cloudformation/parser/__init__.py | 2 +- checkov/cloudformation/runner.py | 13 ++++++++----- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/checkov/cloudformation/graph_manager.py b/checkov/cloudformation/graph_manager.py index a3753348ab..4561f0a77c 100644 --- a/checkov/cloudformation/graph_manager.py +++ b/checkov/cloudformation/graph_manager.py @@ -31,11 +31,14 @@ def build_graph_from_source_directory( # TODO: replace with real graph rendering for cf_file in rendered_definitions.keys(): - cf_context_parser = ContextParser(cf_file, rendered_definitions[cf_file], definitions_raw[cf_file]) - logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(rendered_definitions[cf_file], indent=2, default=str)) - ) - cf_context_parser.evaluate_default_refs() + file_definition = rendered_definitions.get(cf_file, None) + file_definition_raw = definitions_raw.get(cf_file, None) + if file_definition is not None and file_definition_raw is not None: + cf_context_parser = ContextParser(cf_file, file_definition, file_definition_raw) + logging.debug( + "Template Dump for {}: {}".format(cf_file, json.dumps(file_definition, indent=2, default=str)) + ) + cf_context_parser.evaluate_default_refs() return local_graph, rendered_definitions def build_graph_from_definitions( diff --git a/checkov/cloudformation/parser/__init__.py b/checkov/cloudformation/parser/__init__.py index 57e07179ac..9417c3e18a 100644 --- a/checkov/cloudformation/parser/__init__.py +++ b/checkov/cloudformation/parser/__init__.py @@ -44,7 +44,7 @@ def parse(filename: str) -> Union[Tuple[dict_node, List[Tuple[int, str]]], Tuple except YAMLError as err: pass - if template: + if isinstance(template, dict): resources = template.get(TemplateSections.RESOURCES.value, None) if resources: if '__startline__' in resources: diff --git a/checkov/cloudformation/runner.py b/checkov/cloudformation/runner.py index f51800a6de..9d7440e060 100644 --- a/checkov/cloudformation/runner.py +++ b/checkov/cloudformation/runner.py @@ -67,11 +67,14 @@ def run( # TODO: replace with real graph rendering for cf_file in self.definitions.keys(): - cf_context_parser = ContextParser(cf_file, self.definitions[cf_file], self.definitions_raw[cf_file]) - logging.debug( - "Template Dump for {}: {}".format(cf_file, json.dumps(self.definitions[cf_file], indent=2, default=str)) - ) - cf_context_parser.evaluate_default_refs() + file_definition = self.definitions.get(cf_file, None) + file_definition_raw = self.definitions_raw.get(cf_file, None) + if file_definition is not None and file_definition_raw is not None: + cf_context_parser = ContextParser(cf_file, file_definition, file_definition_raw) + logging.debug( + "Template Dump for {}: {}".format(cf_file, json.dumps(file_definition, indent=2, default=str)) + ) + cf_context_parser.evaluate_default_refs() # run checks self.check_definitions(root_folder, runner_filter, report) From 7238ceaec69dce3d24a799b0ba1d9dfeff1644ba Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:46:17 +0300 Subject: [PATCH 161/203] Merge pull request #1509 from bridgecrewio/fix_cfn_template_crash CFN Runner crashes for non dict template file and file paths that are missing in the definitions object --- docs/5.Policy Index/terraform.md | 606 +++++++++++++++---------------- 1 file changed, 303 insertions(+), 303 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index fc26e3b790..5687eb553f 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,17 +201,17 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -221,12 +221,12 @@ nav_order: 1 | 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -235,11 +235,11 @@ nav_order: 1 | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,17 +388,17 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -409,23 +409,23 @@ nav_order: 1 | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 690 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 691 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 8001210498a0981e112f7374a69c62385c18d355 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:46:17 +0300 Subject: [PATCH 162/203] Merge pull request #1509 from bridgecrewio/fix_cfn_template_crash CFN Runner crashes for non dict template file and file paths that are missing in the definitions object --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 8911aa552603a56d8006b756f5429c88518dc06d Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:46:17 +0300 Subject: [PATCH 163/203] Merge pull request #1509 from bridgecrewio/fix_cfn_template_crash CFN Runner crashes for non dict template file and file paths that are missing in the definitions object --- docs/5.Policy Index/all.md | 590 ++++++++++++++++++------------------- 1 file changed, 295 insertions(+), 295 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 1f1adc296b..dd8e38a253 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -331,8 +331,8 @@ nav_order: 1 | 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | @@ -344,13 +344,13 @@ nav_order: 1 | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | @@ -364,8 +364,8 @@ nav_order: 1 | 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -570,14 +570,14 @@ nav_order: 1 | 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -593,19 +593,19 @@ nav_order: 1 | 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 822 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 900 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From b9ff2fdb5bf80daacd179a4fb2aa6fd45b23fd5d Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:46:17 +0300 Subject: [PATCH 164/203] Merge pull request #1509 from bridgecrewio/fix_cfn_template_crash CFN Runner crashes for non dict template file and file paths that are missing in the definitions object --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 2d28cb2572bac537ed15a347bd4378a34527feda Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 15:46:17 +0300 Subject: [PATCH 165/203] Merge pull request #1509 from bridgecrewio/fix_cfn_template_crash CFN Runner crashes for non dict template file and file paths that are missing in the definitions object --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index d3714be8f1..e7744692f9 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.357' +version = '2.0.358' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index d678d41edd..f0570bbc23 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.357 +checkov==2.0.358 From 4ab8dea322519738e2210c146b5e33d73c8529fd Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 18:58:55 +0300 Subject: [PATCH 166/203] fixed cfn crashes during cfn edges creation for identifier that is not a string, and fixed cfn crashes during the check IAMRoleAllowAssumeFromAccount --- .../aws/IAMRoleAllowAssumeFromAccount.py | 2 ++ .../cloudformation/graph_builder/local_graph.py | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py index d4424bf054..eac9bf4ae1 100644 --- a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py +++ b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py @@ -23,6 +23,8 @@ def scan_resource_conf(self, conf): assume_role_block = json.loads(assume_role_policy_doc) else: assume_role_block = assume_role_policy_doc + else: + return CheckResult.FAILED if 'Statement' in assume_role_block.keys(): if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index ce12f41226..4c666669fe 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -240,22 +240,30 @@ def _create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: @staticmethod def _is_parameter(template, identifier): """Check if the identifier is that of a Parameter""" - return template.template.get(TemplateSections.PARAMETERS, {}).get(identifier, {}) + if isinstance(identifier, str): + return template.template.get(TemplateSections.PARAMETERS, {}).get(identifier, {}) + return False @staticmethod def _is_mapping(template, identifier): """Check if the identifier is that of a Mapping""" - return template.template.get(TemplateSections.MAPPINGS, {}).get(identifier, {}) + if isinstance(identifier, str): + return template.template.get(TemplateSections.MAPPINGS, {}).get(identifier, {}) + return False @staticmethod def _is_condition(template, identifier): """Check if the identifier is that of a Condition""" - return template.template.get(TemplateSections.CONDITIONS, {}).get(identifier, {}) + if isinstance(identifier, str): + return template.template.get(TemplateSections.CONDITIONS, {}).get(identifier, {}) + return False @staticmethod def _is_resource(template, identifier): """Check if the identifier is that of a Resource""" - return template.template.get(TemplateSections.RESOURCES, {}).get(identifier, {}) + if isinstance(identifier, str): + return template.template.get(TemplateSections.RESOURCES, {}).get(identifier, {}) + return False def get_only_dict_items(origin_dict: Dict[str, Any]) -> Dict[str, Dict[str, Any]]: From 67b18988c44ac211d75b2739e17da1bbc5404a53 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:11:43 +0300 Subject: [PATCH 167/203] changed check result in case AssumeRolePolicyDocument doesnt exist to UNKNOWN --- .../checks/resource/aws/IAMRoleAllowAssumeFromAccount.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py index eac9bf4ae1..ac83bff526 100644 --- a/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py +++ b/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py @@ -24,7 +24,7 @@ def scan_resource_conf(self, conf): else: assume_role_block = assume_role_policy_doc else: - return CheckResult.FAILED + return CheckResult.UNKNOWN if 'Statement' in assume_role_block.keys(): if isinstance(assume_role_block['Statement'], list) and 'Principal' in \ From 4580d1ee57c543d085d8c4fba8420af7ef61d4e3 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:21:22 +0300 Subject: [PATCH 168/203] Merge pull request #1510 from bridgecrewio/fix_cfn_template_crash CFN runner crashes during edges creation and IAMRoleAllowAssumeFromAccount check --- docs/5.Policy Index/terraform.md | 580 +++++++++++++++---------------- 1 file changed, 290 insertions(+), 290 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 5687eb553f..f4cdf57e9f 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -203,8 +203,8 @@ nav_order: 1 | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | @@ -221,25 +221,25 @@ nav_order: 1 | 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 213 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 214 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -411,21 +411,21 @@ nav_order: 1 | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -511,279 +511,279 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 522 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 602 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 716 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 764 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 774 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 775 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 777 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | | 778 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | From 94d8895294d2225d0d66cbb36cf02ad2c9ed61f8 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:21:22 +0300 Subject: [PATCH 169/203] Merge pull request #1510 from bridgecrewio/fix_cfn_template_crash CFN runner crashes during edges creation and IAMRoleAllowAssumeFromAccount check --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 67f569825fb28b6670bc403c9353ccf45c8b6570 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:21:22 +0300 Subject: [PATCH 170/203] Merge pull request #1510 from bridgecrewio/fix_cfn_template_crash CFN runner crashes during edges creation and IAMRoleAllowAssumeFromAccount check --- docs/5.Policy Index/all.md | 620 ++++++++++++++++++------------------- 1 file changed, 310 insertions(+), 310 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index dd8e38a253..150ee9b586 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,30 +327,30 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | @@ -361,11 +361,11 @@ nav_order: 1 | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -567,19 +567,19 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | @@ -588,24 +588,24 @@ nav_order: 1 | 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 896 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 5402bbb30f5f1ba7aaeb5994bcee9e9885035fa0 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:21:22 +0300 Subject: [PATCH 171/203] Merge pull request #1510 from bridgecrewio/fix_cfn_template_crash CFN runner crashes during edges creation and IAMRoleAllowAssumeFromAccount check --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 047b165c24810a34be84f91893a42eccf5641204 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Tue, 17 Aug 2021 19:21:22 +0300 Subject: [PATCH 172/203] Merge pull request #1510 from bridgecrewio/fix_cfn_template_crash CFN runner crashes during edges creation and IAMRoleAllowAssumeFromAccount check --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index e7744692f9..019465676e 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.358' +version = '2.0.359' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index f0570bbc23..ec3d02dcca 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.358 +checkov==2.0.359 From 9e2c0653bee863d570048cfad7fe7856c28e105c Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 173/203] pass record BC ID to super (#1513) --- checkov/common/output/graph_record.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/common/output/graph_record.py b/checkov/common/output/graph_record.py index ee5c36ba25..2661efa8e0 100644 --- a/checkov/common/output/graph_record.py +++ b/checkov/common/output/graph_record.py @@ -8,6 +8,6 @@ def __init__(self, record, breadcrumbs): super().__init__(record.check_id, record.check_name, record.check_result, record.code_block, record.file_path, record.file_line_range, record.resource, record.evaluations, record.check_class, record.file_abs_path, record.entity_tags, record.caller_file_path, - record.caller_file_line_range) + record.caller_file_line_range, bc_check_id=record.bc_check_id) self.fixed_definition = record.fixed_definition self.breadcrumbs = breadcrumbs From 6eb24aa1754306f2c7ca204eec965b64f524bd26 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 174/203] pass record BC ID to super (#1513) --- docs/5.Policy Index/terraform.md | 590 +++++++++++++++---------------- 1 file changed, 295 insertions(+), 295 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index f4cdf57e9f..a657a32fba 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -203,23 +203,23 @@ nav_order: 1 | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 195 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 196 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | @@ -228,18 +228,18 @@ nav_order: 1 | 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 227 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 228 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,29 +388,29 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 394 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 395 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | | 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 517 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 571 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 714 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 715 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From b05817d360da85b971b3100d73589d9e42e8b20b Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 175/203] pass record BC ID to super (#1513) --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 988274a3dca47ab0f4c2fe4404d1c43a1046d827 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 176/203] pass record BC ID to super (#1513) --- docs/5.Policy Index/all.md | 604 ++++++++++++++++++------------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 150ee9b586..979352fdc9 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -338,26 +338,26 @@ nav_order: 1 | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | -| 339 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 340 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | +| 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -578,34 +578,34 @@ nav_order: 1 | 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 690 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 066eb19c0d6a4d758b75ed1751acf6a4cb5b8214 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 177/203] pass record BC ID to super (#1513) --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 7cfeda3367a2fb9887f7ea0bcf9c7fa518b2b231 Mon Sep 17 00:00:00 2001 From: mikeurbanski1 Date: Tue, 17 Aug 2021 17:57:39 -0500 Subject: [PATCH 178/203] pass record BC ID to super (#1513) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 019465676e..337c3d723b 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.359' +version = '2.0.360' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index ec3d02dcca..27f399a9ee 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.359 +checkov==2.0.360 From 6a90c0f9c9ada6714916981a541d66ea6939a01a Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Tue, 17 Aug 2021 16:18:20 -0700 Subject: [PATCH 179/203] Fix CKV2_AWS_5 to for SGs attached to aws_cloudwatch_event_target (#1514) --- .../aws/SGAttachedToResource.yaml | 3 +- .../SGAttachedToResource/expected.yaml | 3 +- .../resources/SGAttachedToResource/main.tf | 37 ++++++++++++++++++- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml index 318d17a427..c7477d881a 100644 --- a/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml +++ b/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml @@ -14,6 +14,7 @@ definition: connected_resource_types: - aws_alb - aws_batch_compute_environment + - aws_cloudwatch_event_target - aws_codebuild_project - aws_db_instance - aws_dms_replication_instance @@ -43,4 +44,4 @@ definition: - aws_vpc_endpoint operator: exists attribute: networking - cond_type: connection \ No newline at end of file + cond_type: connection diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml index a128072d73..4daa68a72b 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/expected.yaml @@ -1,6 +1,7 @@ pass: - "aws_security_group.pass_alb" - "aws_security_group.pass_batch" + - "aws_security_group.pass_cloudwatch_event" - "aws_security_group.pass_codebuild" - "aws_security_group.pass_dms" - "aws_security_group.pass_docdb" @@ -29,4 +30,4 @@ pass: - "aws_security_group.pass_sagemaker" - "aws_security_group.pass_vpc_endpoint" fail: - - "aws_security_group.fail" \ No newline at end of file + - "aws_security_group.fail" diff --git a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf index cd216c7901..003e5ea72a 100644 --- a/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf +++ b/tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf @@ -599,4 +599,39 @@ resource "aws_security_group" "pass_emr" { protocol = "-1" cidr_blocks = ["10.0.0.0/16"] } -} \ No newline at end of file +} + +resource "aws_cloudwatch_event_target" "pass_cloudwatch_event" { + target_id = var.target_id + arn = var.arn + rule = var.rule + role_arn = var.role_arn + + ecs_target { + launch_type = var.launch_type + task_count = var.task_count + task_definition_arn = var.task_definition_arn + + network_configuration { + subnets = [var.subnet_id] + security_groups = [aws_security_group.pass_cloudwatch_event.id] + assign_public_ip = false + } + } + + input = < Date: Wed, 18 Aug 2021 00:18:56 +0100 Subject: [PATCH 180/203] Update INTHEWILD.md (#1511) Added PunkSecurity from the UK --- INTHEWILD.md | 1 + 1 file changed, 1 insertion(+) diff --git a/INTHEWILD.md b/INTHEWILD.md index 2d3eb957c9..c7c59dcef9 100644 --- a/INTHEWILD.md +++ b/INTHEWILD.md @@ -16,4 +16,5 @@ Please send a PR with your company name and @githubhandle. 1. [Square](https://squareup.com/) [[@ac-square](https://github.com/ac-square), [@santoshankr](https://github.com/santoshankr)] 1. [Madhu Akula](https://madhuakula.com/) [[@madhuakula](https://github.com/madhuakula)] 1. [Royal Vopak N.V.](https://vopak.com/) [[@xmariopereira](https://github.com/xmariopereira)] +1. [Punk Security (UK)](https://punksecurity.co.uk/) [[@punksecurity](https://github.com/punk-security)] From a0bac88504693df3a9448223cf51fc43f82b94ec Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Tue, 17 Aug 2021 16:18:20 -0700 Subject: [PATCH 181/203] Fix CKV2_AWS_5 to for SGs attached to aws_cloudwatch_event_target (#1514) --- docs/5.Policy Index/terraform.md | 596 +++++++++++++++---------------- 1 file changed, 298 insertions(+), 298 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index a657a32fba..b7e23a44f4 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,14 +201,14 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 197 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 198 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | @@ -223,10 +223,10 @@ nav_order: 1 | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 215 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 216 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -238,8 +238,8 @@ nav_order: 1 | 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,29 +388,29 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 396 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 397 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | @@ -421,11 +421,11 @@ nav_order: 1 | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | @@ -511,276 +511,276 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 503 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 749 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | From 524cd77d368cf83f4136bffac61c9276f0cbb1a5 Mon Sep 17 00:00:00 2001 From: SimonGurney Date: Wed, 18 Aug 2021 00:18:56 +0100 Subject: [PATCH 182/203] Update INTHEWILD.md (#1511) Added PunkSecurity from the UK --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 4f9c149f0fb589341e4175f112bc44f0024f0491 Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Tue, 17 Aug 2021 16:18:20 -0700 Subject: [PATCH 183/203] Fix CKV2_AWS_5 to for SGs attached to aws_cloudwatch_event_target (#1514) --- docs/5.Policy Index/all.md | 594 ++++++++++++++++++------------------- 1 file changed, 297 insertions(+), 297 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 979352fdc9..aaa808cb6a 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,15 +329,15 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | @@ -351,13 +351,13 @@ nav_order: 1 | 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 346 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 347 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | @@ -569,23 +569,23 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | -| 573 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | -| 574 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | +| 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | @@ -593,8 +593,8 @@ nav_order: 1 | 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 872 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 873 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 9526b8caf2aef34a4ef8a5a654abec5981d928c4 Mon Sep 17 00:00:00 2001 From: SimonGurney Date: Wed, 18 Aug 2021 00:18:56 +0100 Subject: [PATCH 184/203] Update INTHEWILD.md (#1511) Added PunkSecurity from the UK --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 9b69e7dae65a3a459274a6312b9ebc0924dfb468 Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Tue, 17 Aug 2021 16:18:20 -0700 Subject: [PATCH 185/203] Fix CKV2_AWS_5 to for SGs attached to aws_cloudwatch_event_target (#1514) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 337c3d723b..7c7c793b6d 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.360' +version = '2.0.361' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 27f399a9ee..548933cbcc 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.360 +checkov==2.0.361 From b6c3f691cb80a777679ea0788aca7449c2885509 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 14:08:45 +0300 Subject: [PATCH 186/203] dependson resource is missing so cfn graph crashes --- .../graph_builder/graph_components/block_types.py | 11 ----------- checkov/cloudformation/graph_builder/local_graph.py | 5 +++-- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/checkov/cloudformation/graph_builder/graph_components/block_types.py b/checkov/cloudformation/graph_builder/graph_components/block_types.py index 1242fa6c56..9333c810eb 100644 --- a/checkov/cloudformation/graph_builder/graph_components/block_types.py +++ b/checkov/cloudformation/graph_builder/graph_components/block_types.py @@ -13,14 +13,3 @@ class BlockType(CommonBlockType): CONDITION = "conditions" TRANSFORM = "transform" OUTPUT = "outputs" - - -class CloudformationTemplateSections(str, Enum): - RESOURCES = "Resources" - METADATA = "Metadata" - PARAMETERS = "Parameters" - RULES = "Rules" - MAPPINGS = "Mappings" - CONDITIONS = "Conditions" - TRANSFORM = "Transform" - OUTPUTS = "Outputs" diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index 4c666669fe..d5c58bea3e 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -101,8 +101,9 @@ def _add_resource_attr_connections(self, attribute): if isinstance(target_ids, list): for target_id in target_ids: if isinstance(target_id, str): - dest_vertex_index = self._vertices_indexes[vertex_path][target_id] - self._create_edge(origin_node_index, dest_vertex_index, label=attribute) + dest_vertex_index = self._vertices_indexes.get(vertex_path, {}).get(target_id, None) + if dest_vertex_index: + self._create_edge(origin_node_index, dest_vertex_index, label=attribute) else: logging.info(f"[CloudformationLocalGraph] didnt create edge for target_id {target_id}" f"and vertex_path {vertex_path} as target_id is not a string") From a87e4b71b75a4cf0b94e9616786c76aad316dd0a Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 14:25:16 +0300 Subject: [PATCH 187/203] add edge if dest_Vertex_index is not none --- checkov/cloudformation/graph_builder/local_graph.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/cloudformation/graph_builder/local_graph.py b/checkov/cloudformation/graph_builder/local_graph.py index d5c58bea3e..d2f43edbd3 100644 --- a/checkov/cloudformation/graph_builder/local_graph.py +++ b/checkov/cloudformation/graph_builder/local_graph.py @@ -102,7 +102,7 @@ def _add_resource_attr_connections(self, attribute): for target_id in target_ids: if isinstance(target_id, str): dest_vertex_index = self._vertices_indexes.get(vertex_path, {}).get(target_id, None) - if dest_vertex_index: + if dest_vertex_index is not None: self._create_edge(origin_node_index, dest_vertex_index, label=attribute) else: logging.info(f"[CloudformationLocalGraph] didnt create edge for target_id {target_id}" From c77268468ac7fa2baa4d1981634c48382bf6da66 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 11:25:21 +0000 Subject: [PATCH 188/203] Merge a87e4b71b75a4cf0b94e9616786c76aad316dd0a into 9b69e7dae65a3a459274a6312b9ebc0924dfb468 --- docs/5.Policy Index/terraform.md | 608 +++++++++++++++---------------- 1 file changed, 304 insertions(+), 304 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index b7e23a44f4..7c5dec56b6 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -210,16 +210,16 @@ nav_order: 1 | 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 202 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 203 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 209 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 210 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 211 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 210 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 211 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 212 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 213 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | @@ -230,16 +230,16 @@ nav_order: 1 | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | | 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -388,19 +388,19 @@ nav_order: 1 | 377 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | | 378 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 379 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 380 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 381 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 382 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 385 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 388 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 391 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 392 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 394 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 395 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | @@ -409,24 +409,24 @@ nav_order: 1 | 398 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 399 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 401 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 402 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | | 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 413 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 414 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 415 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 416 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 417 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 418 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 413 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 414 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 415 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 416 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 417 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 418 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 419 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | | 420 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | | 421 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 503 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 8e963b30686ab2e5621d58af671948e2bc1f06c4 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 14:36:57 +0300 Subject: [PATCH 189/203] Merge pull request #1517 from bridgecrewio/fix_dependson_missing CFN Graph creation crashes due to DependsOn resource missing --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 0dec4fb3868429e407a446e4a634a289d2aa2e26 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 11:25:21 +0000 Subject: [PATCH 190/203] Merge a87e4b71b75a4cf0b94e9616786c76aad316dd0a into 9b69e7dae65a3a459274a6312b9ebc0924dfb468 --- docs/5.Policy Index/all.md | 604 ++++++++++++++++++------------------- 1 file changed, 302 insertions(+), 302 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index aaa808cb6a..f340922462 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -329,43 +329,43 @@ nav_order: 1 | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | | 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | | 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | -| 328 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 329 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | +| 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | | 335 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | -| 336 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | -| 337 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 336 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | +| 337 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 348 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 349 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 348 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 349 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | | 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 356 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 357 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 358 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 359 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 360 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | @@ -569,14 +569,14 @@ nav_order: 1 | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | | 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | @@ -595,16 +595,16 @@ nav_order: 1 | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | | 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | -| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | +| 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | | 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 593 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 595 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 954 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 690 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 955 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | | 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 9b754245289b7dbb4fb1d77ba91a1ab7f63adde7 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 14:36:57 +0300 Subject: [PATCH 191/203] Merge pull request #1517 from bridgecrewio/fix_dependson_missing CFN Graph creation crashes due to DependsOn resource missing --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From 4ac72960c6cdfc51eaf466a3879cbeb62683d9c2 Mon Sep 17 00:00:00 2001 From: Saar Ettinger Date: Wed, 18 Aug 2021 11:25:21 +0000 Subject: [PATCH 192/203] Merge a87e4b71b75a4cf0b94e9616786c76aad316dd0a into 9b69e7dae65a3a459274a6312b9ebc0924dfb468 --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 7c7c793b6d..8f7562b55a 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.361' +version = '2.0.362' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 548933cbcc..f664497b06 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.361 +checkov==2.0.362 From 6159ac4e009e193c68852614b842719feab8cdb6 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 193/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- checkov/arm/checks/resource/NSGRulePortAccessRestricted.py | 2 +- .../solvers/attribute_solvers/contains_attribute_solver.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py index 785de178d0..335228b302 100644 --- a/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py +++ b/checkov/arm/checks/resource/NSGRulePortAccessRestricted.py @@ -25,7 +25,7 @@ def __init__(self, name, check_id, port): self.port = port def is_port_in_range(self, portRange): - if re.match(PORT_RANGE, portRange): + if re.match(PORT_RANGE, str(portRange)): start, end = int(portRange.split('-')[0]), int(portRange.split('-')[1]) if start <= self.port <= end: return True diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py index 2125a80c09..1710a80092 100644 --- a/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py +++ b/checkov/common/checks_infra/solvers/attribute_solvers/contains_attribute_solver.py @@ -22,5 +22,5 @@ def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bo except ValueError: pass if isinstance(att, dict): - return self.value in att or any(self.value in val for val in att.values()) + return self.value in att or any(self.value in val for val in att.values() if type(val) in [str, list, set, dict]) return self.value in att From 4c00acf9244d98aba930e54b72ce8f87225c141b Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 194/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- docs/5.Policy Index/terraform.md | 594 +++++++++++++++---------------- 1 file changed, 297 insertions(+), 297 deletions(-) diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 7c5dec56b6..151e8748dd 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -201,19 +201,19 @@ nav_order: 1 | 190 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | | 191 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 192 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | -| 193 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 194 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 193 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 194 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | | 195 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 196 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | | 197 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | | 198 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 199 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 200 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 199 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 200 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 201 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 202 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | | 203 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | -| 204 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 205 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 204 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 205 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 206 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 207 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 208 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -225,21 +225,21 @@ nav_order: 1 | 214 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | | 215 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | | 216 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 217 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 218 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 217 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 218 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 219 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | -| 220 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 221 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | -| 222 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | -| 223 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 220 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 221 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | +| 222 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | +| 223 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | | 224 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 225 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 226 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | | 227 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | | 228 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 229 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | -| 230 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | -| 231 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 230 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | +| 231 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | | 232 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 233 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | | 234 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | @@ -391,14 +391,14 @@ nav_order: 1 | 380 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 381 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | | 382 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 383 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 384 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 383 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 384 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 385 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 386 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 387 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 386 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 387 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | | 388 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 389 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 390 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 389 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 390 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | | 391 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 392 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 393 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | @@ -411,13 +411,13 @@ nav_order: 1 | 400 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | | 401 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | | 402 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 403 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 404 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 403 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 404 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 405 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | -| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 406 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 407 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 408 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | +| 409 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 410 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 411 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 412 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | @@ -511,277 +511,277 @@ nav_order: 1 | 500 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 501 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 502 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 503 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 504 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 505 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 506 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 507 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 508 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 509 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 510 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 511 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 512 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 513 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 514 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 515 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 516 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 517 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 518 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 519 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 520 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 521 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 522 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 523 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 524 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 525 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 526 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 527 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 528 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 529 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 530 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 531 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 532 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 533 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 534 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 535 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 536 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 537 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 538 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 539 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 540 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 541 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 542 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 543 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 544 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 545 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 546 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 547 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 548 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 549 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 550 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 551 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 552 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 553 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 554 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 555 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 556 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 557 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 558 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 559 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 560 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 561 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 562 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 563 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 564 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 565 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 566 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 567 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 568 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 569 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 570 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 571 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 572 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 573 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 574 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 575 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 576 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 577 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 578 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 579 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 580 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 581 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 582 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 583 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 584 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 585 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 586 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 587 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 588 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 589 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 590 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 591 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 592 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 593 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 594 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 595 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 596 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 597 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 598 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 599 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 600 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 601 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 602 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 603 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 604 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 605 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 606 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 607 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 608 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 609 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 610 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 611 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 612 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 613 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 614 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 615 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 616 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 617 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 618 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 619 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 620 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 621 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 622 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 623 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 624 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 625 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 626 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 627 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 628 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 629 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 630 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 631 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 632 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 633 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 634 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 635 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 636 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 637 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 638 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 639 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 640 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 641 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 642 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 643 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 644 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 645 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 646 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 647 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 648 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 649 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 650 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 651 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 652 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 653 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 654 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 655 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 656 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 657 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 658 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 659 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 660 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 661 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 662 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 663 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 664 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 665 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 666 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 667 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 668 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 669 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 670 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 671 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 672 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 673 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 674 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 675 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 676 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 677 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 678 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 679 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 680 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 681 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 682 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 683 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 684 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 685 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 686 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 687 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 688 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 689 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 690 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 731 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 766 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 767 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 768 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 769 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 770 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 503 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 504 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 505 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 506 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 507 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 508 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 509 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 510 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 511 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 512 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 513 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 514 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 515 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 516 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 517 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 518 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 519 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 520 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 521 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 522 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 523 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 524 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 525 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 526 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 527 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 528 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 529 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 530 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 531 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 532 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 533 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 534 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 535 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 536 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 537 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 538 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 539 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 540 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 541 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 542 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 543 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 544 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 545 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 546 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 547 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 548 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 549 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 550 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 551 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 552 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 553 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 554 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 555 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 556 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 557 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 558 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 559 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 560 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 561 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 562 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 563 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 564 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 565 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 566 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 567 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 568 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 569 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 570 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 571 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 572 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 573 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 574 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 575 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 576 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 577 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 578 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 579 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 580 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 581 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 582 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 583 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 584 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 585 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 586 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 587 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 588 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 589 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 590 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 591 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 592 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 593 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 594 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 595 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 596 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 597 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 598 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 599 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 600 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 601 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 602 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 603 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 604 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 605 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 606 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 607 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 608 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 609 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 610 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 611 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 612 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 613 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 614 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 615 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 616 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 617 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 618 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 619 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 620 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 621 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 622 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 623 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 624 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 625 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 626 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 627 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 628 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 629 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 630 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 631 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 632 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 633 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 634 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 635 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 636 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 637 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 638 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 639 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 640 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 641 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 642 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 643 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 644 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 645 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 646 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 647 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 648 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 649 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 650 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 651 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 652 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 653 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 654 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 655 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 656 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 657 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 658 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 659 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 660 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 661 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 662 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 663 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 664 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 665 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 666 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 667 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 668 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 669 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 670 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 671 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 672 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 673 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 674 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 675 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 676 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 677 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 678 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 679 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 680 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 681 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 682 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 683 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 684 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 685 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 686 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 687 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 688 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 689 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 731 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 732 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 766 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 767 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 768 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 769 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 770 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 771 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 772 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 773 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 774 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 775 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 776 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | From 8c68ce0dbffa5098035ab66831d17700d113cf93 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 195/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- docs/5.Policy Index/serverless.md | 130 ------------------------------ 1 file changed, 130 deletions(-) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index 020ab484d2..d35af83ca3 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,133 +16,3 @@ nav_order: 1 --- -| | Id | Type | Entity | Policy | IaC | -|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | -| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | -| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | -| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | -| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | -| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | -| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | -| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | -| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | -| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | -| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | -| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | -| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | -| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | -| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | -| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | -| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | -| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | -| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | -| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | -| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | -| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | -| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | -| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | -| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | -| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | -| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | -| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | -| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | -| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | -| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | -| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | -| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | -| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | -| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | -| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | -| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | -| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | -| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | -| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | -| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | -| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | -| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | -| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | -| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | -| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | -| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | -| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | -| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | -| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | -| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | -| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | -| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | -| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | -| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | -| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | -| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | -| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | -| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | -| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | -| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | -| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | -| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | -| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | -| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | -| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | -| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | -| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | -| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | -| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | -| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | -| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | -| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | -| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | -| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | -| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | -| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | -| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | -| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | -| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | -| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | -| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | -| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | -| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | -| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | -| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | -| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | -| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | -| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | -| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | -| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | -| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | -| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | -| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | -| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | -| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | -| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | -| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | -| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | -| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | -| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | - - ---- - - From 65a02a4d4ec476fc74d2b19e6f84b5211c98d5ab Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 196/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- docs/5.Policy Index/all.md | 622 ++++++++++++++++++------------------- 1 file changed, 311 insertions(+), 311 deletions(-) diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index f340922462..18755ddb7f 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -327,19 +327,19 @@ nav_order: 1 | 316 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure Cluster security configuration encryption is using SSE-KMS | Terraform | | 317 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | | 318 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | -| 319 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | -| 320 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | -| 321 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 322 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | -| 323 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 324 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | -| 325 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | -| 326 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 319 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | +| 320 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | +| 321 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 322 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | +| 323 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 324 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | +| 325 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | +| 326 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | | 327 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to an other resource | Terraform | | 328 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | | 329 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | -| 330 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | -| 331 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 330 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | +| 331 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | | 332 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | | 333 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | | 334 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | @@ -349,10 +349,10 @@ nav_order: 1 | 338 | CKV2_AWS_13 | resource | aws_redshift_cluster | Ensure that Redshift clusters has backup plan of AWS Backup | Terraform | | 339 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | | 340 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | -| 341 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 342 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | -| 343 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | -| 344 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 341 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 342 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer, are using Elastic Load Balancing health checks. | Terraform | +| 343 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | +| 344 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | | 345 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | | 346 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | | 347 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | @@ -361,8 +361,8 @@ nav_order: 1 | 350 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | | 351 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | | 352 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | -| 353 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | -| 354 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 353 | CKV2_AWS_27 | resource | aws_db_instance | Postgres RDS has Query Logging enabled | Terraform | +| 354 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Postgres RDS has Query Logging enabled | Terraform | | 355 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | | 356 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | | 357 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | @@ -567,45 +567,45 @@ nav_order: 1 | 556 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | | 557 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | | 558 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | -| 559 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 560 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | -| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 562 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 563 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 565 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 566 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | -| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 568 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 569 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | -| 570 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | -| 571 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 559 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 560 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | +| 561 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 562 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 563 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 564 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 565 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 566 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | +| 567 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 568 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 569 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | +| 570 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | +| 571 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | | 572 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | | 573 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 574 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | | 575 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | -| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | -| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 576 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | +| 577 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | | 578 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | | 579 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | -| 580 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | -| 581 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | -| 582 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | -| 583 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 580 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | +| 581 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | +| 582 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | +| 583 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | | 584 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | -| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | -| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 585 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | +| 586 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | | 587 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 588 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | | 589 | CKV2_AZURE_18 | resource | azurerm_storage_account_customer_managed_key | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 590 | CKV2_AZURE_18 | resource | azurerm_storage_account | Ensure that Storage Accounts use customer-managed key for encryption | Terraform | | 591 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | -| 592 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 592 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 593 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | -| 594 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | +| 594 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | | 595 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 596 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | -| 597 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 596 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | +| 597 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | | 598 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | | 599 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | | 600 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | @@ -698,279 +698,279 @@ nav_order: 1 | 687 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | | 688 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | | 689 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | -| 690 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 691 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 692 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 693 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 694 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 695 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 696 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 697 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 698 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 699 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 700 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 701 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 702 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 703 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 704 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 705 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 706 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 707 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 708 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 709 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 710 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 711 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 712 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 713 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 714 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 715 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 716 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 717 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 718 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 719 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 720 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 721 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 722 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 723 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 724 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 725 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 726 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 727 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 728 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 729 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 730 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 690 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 691 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 692 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 693 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 694 | CKV2_GCP_3 | resource | google_monitoring_dashboard | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 695 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 696 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 697 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 698 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 699 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 700 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 701 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 702 | CKV2_GCP_3 | resource | google_bigquery_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 703 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 704 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 705 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 706 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 707 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 708 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 709 | CKV2_GCP_3 | resource | google_monitoring_slo | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 710 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 711 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 712 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 713 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 714 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 715 | CKV2_GCP_3 | resource | google_sourcerepo_repository | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 716 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 717 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 718 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 719 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 720 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 721 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 722 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 723 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 724 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 725 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 726 | CKV2_GCP_3 | resource | google_storage_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 727 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 728 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 729 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 730 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | | 731 | CKV2_GCP_3 | resource | google_pubsub_subscription | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 732 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 733 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 734 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 735 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 736 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 737 | CKV2_GCP_3 | resource | google_firestore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 738 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 739 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 740 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 741 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 742 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 743 | CKV2_GCP_3 | resource | google_folder_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 744 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 745 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 746 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 747 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 748 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 749 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 750 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 751 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 752 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 753 | CKV2_GCP_3 | resource | google_compute_snapshot | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 754 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 755 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 756 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 757 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 758 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 759 | CKV2_GCP_3 | resource | google_spanner_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 760 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 761 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 762 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 763 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 764 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 765 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 766 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 767 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 768 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 769 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 770 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 771 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 772 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 773 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 774 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 775 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 776 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 777 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 778 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 779 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 780 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 781 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 782 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 783 | CKV2_GCP_3 | resource | google_runtimeconfig_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 784 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 785 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 786 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 787 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 788 | CKV2_GCP_3 | resource | google_cloud_asset_organization_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 789 | CKV2_GCP_3 | resource | google_secret_manager_secret_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 790 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 791 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 792 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 793 | CKV2_GCP_3 | resource | google_app_engine_flexible_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 794 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 795 | CKV2_GCP_3 | resource | google_compute_node_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 796 | CKV2_GCP_3 | resource | google_data_catalog_tag | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 797 | CKV2_GCP_3 | resource | google_endpoints_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 798 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 799 | CKV2_GCP_3 | resource | google_compute_region_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 800 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 801 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 802 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 803 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 804 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 805 | CKV2_GCP_3 | resource | google_cloudiot_device | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 806 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 807 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 808 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 809 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 810 | CKV2_GCP_3 | resource | google_project_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 811 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 812 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 813 | CKV2_GCP_3 | resource | google_folder | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 814 | CKV2_GCP_3 | resource | google_healthcare_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 815 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 816 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 817 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 818 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 819 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 820 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 821 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 822 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 823 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 824 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 825 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 826 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 827 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 828 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 829 | CKV2_GCP_3 | resource | google_dataproc_job_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 830 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 831 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 832 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 833 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 834 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 835 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 836 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 837 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 838 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 839 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 840 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 841 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 842 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 843 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 844 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 845 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 846 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 847 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 848 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 849 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 850 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 851 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 852 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 853 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 854 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 855 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 856 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 857 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 858 | CKV2_GCP_3 | resource | google_spanner_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 859 | CKV2_GCP_3 | resource | google_compute_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 860 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 861 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 862 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 863 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 864 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 865 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 866 | CKV2_GCP_3 | resource | google_compute_reservation | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 867 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 868 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 869 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 870 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 871 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 872 | CKV2_GCP_3 | resource | google_redis_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 873 | CKV2_GCP_3 | resource | google_resource_manager_lien | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 874 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 875 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 876 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 877 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 878 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 879 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 880 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 881 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 882 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 883 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 884 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 885 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 886 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 887 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 888 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 889 | CKV2_GCP_3 | resource | google_access_context_manager_access_level | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 890 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 891 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 892 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 893 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 894 | CKV2_GCP_3 | resource | google_monitoring_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 895 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 896 | CKV2_GCP_3 | resource | google_compute_image | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 897 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 898 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 899 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 900 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 901 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 902 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 903 | CKV2_GCP_3 | resource | google_compute_backend_service_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 904 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 905 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 906 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 907 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 908 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 909 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 910 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 911 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 912 | CKV2_GCP_3 | resource | google_container_analysis_occurrence | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 913 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 914 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 915 | CKV2_GCP_3 | resource | google_bigtable_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 916 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 917 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 918 | CKV2_GCP_3 | resource | google_dataflow_flex_template_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 919 | CKV2_GCP_3 | resource | google_app_engine_service_split_traffic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 920 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 921 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 922 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 923 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 924 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 925 | CKV2_GCP_3 | resource | google_data_catalog_entry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 926 | CKV2_GCP_3 | resource | google_organization_iam_custom_role | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 927 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 928 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 929 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 930 | CKV2_GCP_3 | resource | google_compute_http_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 931 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 932 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 933 | CKV2_GCP_3 | resource | google_monitoring_notification_channel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 934 | CKV2_GCP_3 | resource | google_iap_client | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 935 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 936 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 937 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 938 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 939 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 940 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 941 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 942 | CKV2_GCP_3 | resource | google_sql_ssl_cert | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 943 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 944 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 945 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 946 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 947 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 948 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 949 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 950 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 951 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | -| 952 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 953 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 732 | CKV2_GCP_3 | resource | google_project_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 733 | CKV2_GCP_3 | resource | google_os_login_ssh_public_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 734 | CKV2_GCP_3 | resource | google_cloudbuild_trigger | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 735 | CKV2_GCP_3 | resource | google_compute_subnetwork_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 736 | CKV2_GCP_3 | resource | google_pubsub_topic_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 737 | CKV2_GCP_3 | resource | google_kms_secret_ciphertext | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 738 | CKV2_GCP_3 | resource | google_compute_network_peering | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 739 | CKV2_GCP_3 | resource | google_compute_target_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 740 | CKV2_GCP_3 | resource | google_iap_web_type_app_engine_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 741 | CKV2_GCP_3 | resource | google_scc_source | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 742 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 743 | CKV2_GCP_3 | resource | google_storage_bucket_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 744 | CKV2_GCP_3 | resource | google_storage_transfer_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 745 | CKV2_GCP_3 | resource | google_compute_region_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 746 | CKV2_GCP_3 | resource | google_sql_source_representation_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 747 | CKV2_GCP_3 | resource | google_compute_project_metadata_item | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 748 | CKV2_GCP_3 | resource | google_cloud_scheduler_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 749 | CKV2_GCP_3 | resource | google_storage_bucket_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 750 | CKV2_GCP_3 | resource | google_dns_managed_zone | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 751 | CKV2_GCP_3 | resource | google_storage_notification | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 752 | CKV2_GCP_3 | resource | google_compute_network | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 753 | CKV2_GCP_3 | resource | google_bigtable_app_profile | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 754 | CKV2_GCP_3 | resource | google_healthcare_dicom_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 755 | CKV2_GCP_3 | resource | google_network_management_connectivity_test_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 756 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 757 | CKV2_GCP_3 | resource | google_organization_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 758 | CKV2_GCP_3 | resource | google_billing_account_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 759 | CKV2_GCP_3 | resource | google_compute_interconnect_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 760 | CKV2_GCP_3 | resource | google_compute_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 761 | CKV2_GCP_3 | resource | google_compute_router_bgp_peer | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 762 | CKV2_GCP_3 | resource | google_project_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 763 | CKV2_GCP_3 | resource | google_endpoints_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 764 | CKV2_GCP_3 | resource | google_bigquery_table | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 765 | CKV2_GCP_3 | resource | google_folder_iam_audit_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 766 | CKV2_GCP_3 | resource | google_compute_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 767 | CKV2_GCP_3 | resource | google_identity_platform_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 768 | CKV2_GCP_3 | resource | google_os_config_patch_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 769 | CKV2_GCP_3 | resource | google_cloud_run_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 770 | CKV2_GCP_3 | resource | google_folder_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 771 | CKV2_GCP_3 | resource | google_secret_manager_secret | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 772 | CKV2_GCP_3 | resource | google_cloud_asset_folder_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 773 | CKV2_GCP_3 | resource | google_monitoring_uptime_check_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 774 | CKV2_GCP_3 | resource | google_compute_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 775 | CKV2_GCP_3 | resource | google_compute_instance_from_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 776 | CKV2_GCP_3 | resource | google_logging_billing_account_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 777 | CKV2_GCP_3 | resource | google_bigtable_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 778 | CKV2_GCP_3 | resource | google_logging_folder_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 779 | CKV2_GCP_3 | resource | google_dataproc_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 780 | CKV2_GCP_3 | resource | google_compute_region_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 781 | CKV2_GCP_3 | resource | google_storage_bucket_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 782 | CKV2_GCP_3 | resource | google_spanner_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 783 | CKV2_GCP_3 | resource | google_app_engine_application_url_dispatch_rules | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 784 | CKV2_GCP_3 | resource | google_storage_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 785 | CKV2_GCP_3 | resource | google_billing_account_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 786 | CKV2_GCP_3 | resource | google_usage_export_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 787 | CKV2_GCP_3 | resource | google_service_account_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 788 | CKV2_GCP_3 | resource | google_spanner_database_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 789 | CKV2_GCP_3 | resource | google_service_networking_connection | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 790 | CKV2_GCP_3 | resource | google_compute_region_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 791 | CKV2_GCP_3 | resource | google_compute_vpn_gateway | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 792 | CKV2_GCP_3 | resource | google_bigquery_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 793 | CKV2_GCP_3 | resource | google_compute_target_tcp_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 794 | CKV2_GCP_3 | resource | google_bigtable_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 795 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter_resource | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 796 | CKV2_GCP_3 | resource | google_identity_platform_tenant_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 797 | CKV2_GCP_3 | resource | google_project_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 798 | CKV2_GCP_3 | resource | google_project_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 799 | CKV2_GCP_3 | resource | google_compute_attached_disk | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 800 | CKV2_GCP_3 | resource | google_composer_environment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 801 | CKV2_GCP_3 | resource | google_compute_region_autoscaler | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 802 | CKV2_GCP_3 | resource | google_datastore_index | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 803 | CKV2_GCP_3 | resource | google_dialogflow_intent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 804 | CKV2_GCP_3 | resource | google_runtimeconfig_config_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 805 | CKV2_GCP_3 | resource | google_storage_hmac_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 806 | CKV2_GCP_3 | resource | google_bigtable_gc_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 807 | CKV2_GCP_3 | resource | google_logging_organization_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 808 | CKV2_GCP_3 | resource | google_compute_region_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 809 | CKV2_GCP_3 | resource | google_iap_tunnel_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 810 | CKV2_GCP_3 | resource | google_compute_backend_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 811 | CKV2_GCP_3 | resource | google_dataflow_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 812 | CKV2_GCP_3 | resource | google_iap_web_backend_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 813 | CKV2_GCP_3 | resource | google_logging_project_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 814 | CKV2_GCP_3 | resource | google_iap_web_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 815 | CKV2_GCP_3 | resource | google_project_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 816 | CKV2_GCP_3 | resource | google_compute_target_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 817 | CKV2_GCP_3 | resource | google_kms_key_ring | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 818 | CKV2_GCP_3 | resource | google_compute_target_ssl_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 819 | CKV2_GCP_3 | resource | google_compute_security_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 820 | CKV2_GCP_3 | resource | google_pubsub_topic | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 821 | CKV2_GCP_3 | resource | google_dialogflow_entity_type | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 822 | CKV2_GCP_3 | resource | google_container_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 823 | CKV2_GCP_3 | resource | google_binary_authorization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 824 | CKV2_GCP_3 | resource | google_compute_network_peering_routes_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 825 | CKV2_GCP_3 | resource | google_compute_ssl_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 826 | CKV2_GCP_3 | resource | google_compute_https_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 827 | CKV2_GCP_3 | resource | google_logging_folder_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 828 | CKV2_GCP_3 | resource | google_compute_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 829 | CKV2_GCP_3 | resource | google_compute_instance_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 830 | CKV2_GCP_3 | resource | google_logging_billing_account_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 831 | CKV2_GCP_3 | resource | google_compute_vpn_tunnel | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 832 | CKV2_GCP_3 | resource | google_secret_manager_secret_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 833 | CKV2_GCP_3 | resource | google_compute_region_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 834 | CKV2_GCP_3 | resource | google_healthcare_dataset | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 835 | CKV2_GCP_3 | resource | google_tpu_node | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 836 | CKV2_GCP_3 | resource | google_compute_instance_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 837 | CKV2_GCP_3 | resource | google_bigquery_data_transfer_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 838 | CKV2_GCP_3 | resource | google_organization_iam_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 839 | CKV2_GCP_3 | resource | google_billing_account_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 840 | CKV2_GCP_3 | resource | google_access_context_manager_service_perimeter | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 841 | CKV2_GCP_3 | resource | google_compute_firewall | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 842 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 843 | CKV2_GCP_3 | resource | google_storage_default_object_access_control | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 844 | CKV2_GCP_3 | resource | google_storage_bucket_object | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 845 | CKV2_GCP_3 | resource | google_iap_brand | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 846 | CKV2_GCP_3 | resource | google_compute_node_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 847 | CKV2_GCP_3 | resource | google_compute_router | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 848 | CKV2_GCP_3 | resource | google_compute_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 849 | CKV2_GCP_3 | resource | google_kms_key_ring_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 850 | CKV2_GCP_3 | resource | google_storage_bucket_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 851 | CKV2_GCP_3 | resource | google_container_analysis_note | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 852 | CKV2_GCP_3 | resource | google_iap_app_engine_version_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 853 | CKV2_GCP_3 | resource | google_app_engine_application | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 854 | CKV2_GCP_3 | resource | google_compute_route | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 855 | CKV2_GCP_3 | resource | google_compute_resource_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 856 | CKV2_GCP_3 | resource | google_logging_folder_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 857 | CKV2_GCP_3 | resource | google_app_engine_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 858 | CKV2_GCP_3 | resource | google_vpc_access_connector | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 859 | CKV2_GCP_3 | resource | google_healthcare_fhir_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 860 | CKV2_GCP_3 | resource | google_compute_subnetwork | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 861 | CKV2_GCP_3 | resource | google_organization_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 862 | CKV2_GCP_3 | resource | google_compute_project_default_network_tier | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 863 | CKV2_GCP_3 | resource | google_healthcare_fhir_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 864 | CKV2_GCP_3 | resource | google_compute_region_ssl_certificate | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 865 | CKV2_GCP_3 | resource | google_deployment_manager_deployment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 866 | CKV2_GCP_3 | resource | google_bigquery_dataset_access | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 867 | CKV2_GCP_3 | resource | google_organization_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 868 | CKV2_GCP_3 | resource | google_bigquery_dataset_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 869 | CKV2_GCP_3 | resource | google_cloud_asset_project_feed | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 870 | CKV2_GCP_3 | resource | google_container_cluster | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 871 | CKV2_GCP_3 | resource | google_folder_iam_binding | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 872 | CKV2_GCP_3 | resource | google_cloud_run_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 873 | CKV2_GCP_3 | resource | google_compute_project_metadata | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 874 | CKV2_GCP_3 | resource | google_compute_network_endpoint_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 875 | CKV2_GCP_3 | resource | google_folder_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 876 | CKV2_GCP_3 | resource | google_data_catalog_entry_group_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 877 | CKV2_GCP_3 | resource | google_dataproc_cluster_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 878 | CKV2_GCP_3 | resource | google_compute_global_network_endpoint | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 879 | CKV2_GCP_3 | resource | google_identity_platform_tenant | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 880 | CKV2_GCP_3 | resource | google_kms_crypto_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 881 | CKV2_GCP_3 | resource | google_logging_organization_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 882 | CKV2_GCP_3 | resource | google_cloud_run_domain_mapping | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 883 | CKV2_GCP_3 | resource | google_compute_router_interface | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 884 | CKV2_GCP_3 | resource | google_compute_region_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 885 | CKV2_GCP_3 | resource | google_container_node_pool | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 886 | CKV2_GCP_3 | resource | google_kms_crypto_key_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 887 | CKV2_GCP_3 | resource | google_app_engine_firewall_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 888 | CKV2_GCP_3 | resource | google_logging_billing_account_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 889 | CKV2_GCP_3 | resource | google_dns_record_set | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 890 | CKV2_GCP_3 | resource | google_iap_app_engine_service_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 891 | CKV2_GCP_3 | resource | google_storage_default_object_acl | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 892 | CKV2_GCP_3 | resource | google_healthcare_hl7_v2_store | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 893 | CKV2_GCP_3 | resource | google_healthcare_dicom_store_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 894 | CKV2_GCP_3 | resource | google_sql_database | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 895 | CKV2_GCP_3 | resource | google_monitoring_alert_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 896 | CKV2_GCP_3 | resource | google_compute_region_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 897 | CKV2_GCP_3 | resource | google_compute_instance_group_manager | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 898 | CKV2_GCP_3 | resource | google_compute_router_nat | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 899 | CKV2_GCP_3 | resource | google_compute_target_http_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 900 | CKV2_GCP_3 | resource | google_sql_user | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 901 | CKV2_GCP_3 | resource | google_compute_instance_group_named_port | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 902 | CKV2_GCP_3 | resource | google_sourcerepo_repository_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 903 | CKV2_GCP_3 | resource | google_logging_project_sink | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 904 | CKV2_GCP_3 | resource | google_dataproc_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 905 | CKV2_GCP_3 | resource | google_storage_bucket_iam_member | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 906 | CKV2_GCP_3 | resource | google_app_engine_standard_app_version | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 907 | CKV2_GCP_3 | resource | google_access_context_manager_access_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 908 | CKV2_GCP_3 | resource | google_identity_platform_tenant_oauth_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 909 | CKV2_GCP_3 | resource | google_monitoring_metric_descriptor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 910 | CKV2_GCP_3 | resource | google_compute_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 911 | CKV2_GCP_3 | resource | google_data_catalog_entry_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 912 | CKV2_GCP_3 | resource | google_filestore_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 913 | CKV2_GCP_3 | resource | google_cloudfunctions_cloud_function_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 914 | CKV2_GCP_3 | resource | google_compute_backend_service | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 915 | CKV2_GCP_3 | resource | google_identity_platform_tenant_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 916 | CKV2_GCP_3 | resource | google_compute_health_check | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 917 | CKV2_GCP_3 | resource | google_runtimeconfig_variable | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 918 | CKV2_GCP_3 | resource | google_storage_bucket | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 919 | CKV2_GCP_3 | resource | google_active_directory_domain | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 920 | CKV2_GCP_3 | resource | google_logging_project_bucket_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 921 | CKV2_GCP_3 | resource | google_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 922 | CKV2_GCP_3 | resource | google_compute_target_https_proxy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 923 | CKV2_GCP_3 | resource | google_cloudfunctions_function | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 924 | CKV2_GCP_3 | resource | google_identity_platform_default_supported_idp_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 925 | CKV2_GCP_3 | resource | google_binary_authorization_attestor_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 926 | CKV2_GCP_3 | resource | google_dialogflow_agent | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 927 | CKV2_GCP_3 | resource | google_logging_organization_exclusion | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 928 | CKV2_GCP_3 | resource | google_compute_global_forwarding_rule | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 929 | CKV2_GCP_3 | resource | google_cloudiot_device_registry | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 930 | CKV2_GCP_3 | resource | google_data_catalog_tag_template | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 931 | CKV2_GCP_3 | resource | google_dns_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 932 | CKV2_GCP_3 | resource | google_cloud_tasks_queue | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 933 | CKV2_GCP_3 | resource | google_binary_authorization_attestor | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 934 | CKV2_GCP_3 | resource | google_compute_url_map | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 935 | CKV2_GCP_3 | resource | google_compute_disk_resource_policy_attachment | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 936 | CKV2_GCP_3 | resource | google_ml_engine_model | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 937 | CKV2_GCP_3 | resource | google_compute_shared_vpc_service_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 938 | CKV2_GCP_3 | resource | google_pubsub_subscription_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 939 | CKV2_GCP_3 | resource | google_compute_shared_vpc_host_project | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 940 | CKV2_GCP_3 | resource | google_kms_key_ring_import_job | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 941 | CKV2_GCP_3 | resource | google_sql_database_instance | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 942 | CKV2_GCP_3 | resource | google_identity_platform_inbound_saml_config | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 943 | CKV2_GCP_3 | resource | google_iap_web_type_compute_iam | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 944 | CKV2_GCP_3 | resource | google_monitoring_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 945 | CKV2_GCP_3 | resource | google_organization_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 946 | CKV2_GCP_3 | resource | google_compute_backend_bucket_signed_url_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 947 | CKV2_GCP_3 | resource | google_compute_instance_group | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 948 | CKV2_GCP_3 | resource | google_dataproc_autoscaling_policy | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 949 | CKV2_GCP_3 | resource | google_service_account | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 950 | CKV2_GCP_3 | resource | google_logging_metric | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 951 | CKV2_GCP_3 | resource | google_compute_global_address | Ensure that there are only GCP-managed service account keys for each service account | Terraform | +| 952 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 953 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | | 954 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 955 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | -| 956 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 957 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | -| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 955 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | +| 956 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 957 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | +| 958 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | +| 959 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | | 960 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | -| 961 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | -| 962 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 961 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | +| 962 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | | 963 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform | | 964 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | | 965 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | From 0f972226bfa1d70dbec56ec9d009a2be09040e97 Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 197/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- docs/5.Policy Index/serverless.md | 130 ++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index d35af83ca3..020ab484d2 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -16,3 +16,133 @@ nav_order: 1 --- +| | Id | Type | Entity | Policy | IaC | +|-----|-------------|----------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| 0 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | +| 1 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | +| 2 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | +| 3 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | +| 4 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | +| 5 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | +| 6 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | +| 7 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | +| 8 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | +| 9 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | +| 10 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | +| 11 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | +| 12 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | +| 13 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | +| 14 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | +| 15 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 16 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | +| 17 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 18 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | +| 19 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | +| 20 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | +| 21 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation | +| 22 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation | +| 23 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation | +| 24 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation | +| 25 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | +| 26 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | +| 27 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | +| 28 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | +| 29 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | +| 30 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | +| 31 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | +| 32 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | +| 33 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | +| 34 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation | +| 35 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | +| 36 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | +| 37 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | +| 38 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation | +| 39 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | +| 40 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | +| 41 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation | +| 42 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | +| 43 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | +| 44 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | +| 45 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | +| 46 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation | +| 47 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | +| 48 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | +| 49 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | +| 50 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | +| 51 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | +| 52 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | +| 53 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | +| 54 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | +| 55 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation | +| 56 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | +| 57 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | +| 58 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | +| 59 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | +| 60 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | +| 61 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | +| 62 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation | +| 63 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation | +| 64 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | +| 65 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | +| 66 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | +| 67 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | +| 68 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation | +| 69 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | +| 70 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | +| 71 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | +| 72 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | +| 73 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation | +| 74 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | +| 75 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | +| 76 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation | +| 77 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | +| 78 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB has audit logs enabled | Cloudformation | +| 79 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | +| 80 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 81 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 82 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 83 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 84 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | +| 85 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 86 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 87 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 88 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 89 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | +| 90 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 91 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 92 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 93 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 94 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | +| 95 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 96 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 97 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 98 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 99 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | +| 100 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 101 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 102 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 103 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 104 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | +| 105 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | +| 106 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | +| 107 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | +| 108 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | +| 109 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | +| 110 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | +| 111 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | +| 112 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | +| 113 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | +| 114 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | +| 115 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | +| 116 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | +| 117 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | +| 118 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | +| 119 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure Dynamodb global table point in time recovery (backup) is enabled | Cloudformation | +| 120 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | +| 121 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | +| 122 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | + + +--- + + From e490780f294cae91782aa2fb44418e2865cb7c9c Mon Sep 17 00:00:00 2001 From: Rotem Avni <52502521+rotemavni@users.noreply.github.com> Date: Wed, 18 Aug 2021 18:05:03 +0300 Subject: [PATCH 198/203] Fix contains attribute solver (#1518) * check if attribute contains value only if it is iterable * stringify portRange in arm check NSGRulePortAccessRestricted --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 8f7562b55a..9b3583523b 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '2.0.362' +version = '2.0.363' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index f664497b06..7c1a0b08aa 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==2.0.362 +checkov==2.0.363 From 16b2176c3245d5251f7a7028e76ca56735bf2085 Mon Sep 17 00:00:00 2001 From: Pandora <58219367+Homopatrol@users.noreply.github.com> Date: Mon, 23 Aug 2021 10:38:58 +0100 Subject: [PATCH 199/203] Update entrypoint.sh --- github_action_resources/entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 2b473e344e..19aabb48cb 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -8,6 +8,9 @@ then exit $? fi +# added in for some debugging +echo "GitHub workspace is $GITHUB_WORKSPACE" + # Actions pass inputs as $INPUT_ environmet variables # [[ -n "$INPUT_CHECK" ]] && CHECK_FLAG="--check $INPUT_CHECK" From 9e5140d2e8cc3553cf491baf35605b4e5433bc48 Mon Sep 17 00:00:00 2001 From: Pandora <58219367+Homopatrol@users.noreply.github.com> Date: Mon, 23 Aug 2021 10:44:17 +0100 Subject: [PATCH 200/203] Update Dockerfile --- Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index d95ed12d44..8925a01c71 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,5 @@ FROM python:3.7-alpine -ARG UID=1000 -ARG GID=1000 -ARG USERNAME=checkov RUN apk update && apk add --no-cache git util-linux bash openssl && \ pip install --no-cache-dir -U checkov && \ @@ -10,9 +7,9 @@ RUN apk update && apk add --no-cache git util-linux bash openssl && \ addgroup -S -g ${GID} ${USERNAME} && \ adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} -COPY --chown=${USERNAME}:0 ./github_action_resources/entrypoint.sh /entrypoint.sh -COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json -COPY --chown=${USERNAME}:0 ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json +COPY ./github_action_resources/entrypoint.sh /entrypoint.sh +COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json +COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json USER ${UID} From a7743eb6a8d5227c8ff9933bd4364e13a7e968ec Mon Sep 17 00:00:00 2001 From: Pandora <58219367+Homopatrol@users.noreply.github.com> Date: Mon, 23 Aug 2021 10:45:58 +0100 Subject: [PATCH 201/203] Update entrypoint.sh --- github_action_resources/entrypoint.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index 19aabb48cb..2b473e344e 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -8,9 +8,6 @@ then exit $? fi -# added in for some debugging -echo "GitHub workspace is $GITHUB_WORKSPACE" - # Actions pass inputs as $INPUT_ environmet variables # [[ -n "$INPUT_CHECK" ]] && CHECK_FLAG="--check $INPUT_CHECK" From e58e3d392b773a87516df9bd43a39ba9c2716b10 Mon Sep 17 00:00:00 2001 From: Pandora <58219367+Homopatrol@users.noreply.github.com> Date: Mon, 23 Aug 2021 10:47:56 +0100 Subject: [PATCH 202/203] Update Dockerfile --- Dockerfile | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8925a01c71..e39ad6592a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,13 @@ FROM python:3.7-alpine +RUN apk update && apk add --no-cache git util-linux bash openssl -RUN apk update && apk add --no-cache git util-linux bash openssl && \ - pip install --no-cache-dir -U checkov && \ - wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh && \ - addgroup -S -g ${GID} ${USERNAME} && \ - adduser -S -D -u ${UID} -G ${USERNAME} ${USERNAME} +RUN pip install --no-cache-dir -U checkov +RUN wget -q -O get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3; chmod 700 get_helm.sh; VERIFY_CHECKSUM=true ./get_helm.sh; rm ./get_helm.sh COPY ./github_action_resources/entrypoint.sh /entrypoint.sh COPY ./github_action_resources/checkov-problem-matcher.json /usr/local/lib/checkov-problem-matcher.json COPY ./github_action_resources/checkov-problem-matcher-softfail.json /usr/local/lib/checkov-problem-matcher-softfail.json -USER ${UID} - # Code file to execute when the docker container starts up (`entrypoint.sh`) ENTRYPOINT ["/entrypoint.sh"] From 8f079e5170d1d51b4a68bef06f4c622093265234 Mon Sep 17 00:00:00 2001 From: Lars Gohr Date: Mon, 27 Mar 2023 23:58:35 +0200 Subject: [PATCH 203/203] Updated elgohr/Publish-Docker-Github-Action to a supported version (v5) --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac2df3eb62..faf86d173d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,7 +190,7 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@master + uses: elgohr/Publish-Docker-Github-Action@v5 with: name: bridgecrew/checkov username: ${{ secrets.DOCKER_USERNAME }} @@ -212,7 +212,7 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@master + uses: elgohr/Publish-Docker-Github-Action@v5 with: name: bridgecrew/checkov-k8s username: ${{ secrets.DOCKER_USERNAME }}